You're viewing old version number 2. - Current version

1 min

Drupal security hole - October 2014

https://www.drupal.org/PSA-2014-003

http://grahamcluley.com/2014/10/assume-unpatched-websites-running-drupal-7-compromised/

https://news.ycombinator.com/item?id=8528605

Some excerpts from the above links:

Date: 2014-October-29
Security risk: 25/25 ( Highly Critical)

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

...

What a unholy mess.

In a nutshell, if your site wasn’t protected within a few hours of Drupal’s announcement on October 15th, you need to restore it from an old backup or rebuild it from the ground up.

...

Whenever I read about the latest vulnerability in a popular WCMS, I wonder why static HTML export still doesn't seem to be a prioritized feature in popular systems.

Are there any well-maintained open-source CMS out there where static HTML export is an integral part of the architecture, ideally with good usability and written in PHP (not that I like the language, but that's what is available everywhere)? (I'm not talking about command line static site generators without a user-friendly backend - those are only an option for techies.)

I like how the commenter had to provide the disclaimer about not liking PHP in the Hacker News thread. It's probably a required disclaimer, otherwise the commenter could get booted off of HN and maybe the Internet.

Never admit that you like to program in PHP or like to develop around Wordpress.

At least the commenter was correct about command-line, static-site generators being only acceptable for techies. Geeks enjoy using complicated things because: 1) it's not mainstream like using Wordpress and 2) it gives them a reason to try

From JR's : articles
347 words - 2225 chars - 1 min read
created on
updated on - #
source - versions



A     A     A     A     A

© 2013-2017 JotHut - Online notebook

current date: May 2, 2024 - 11:45 p.m. EDT