You're viewing old version number 3. - Current version

3 min

Drupal security hole - October 2014

https://www.drupal.org/PSA-2014-003

http://grahamcluley.com/2014/10/assume-unpatched-websites-running-drupal-7-compromised/

https://news.ycombinator.com/item?id=8528605

Some excerpts from the above links:

Date: 2014-October-29
Security risk: 25/25 ( Highly Critical)

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

...

What a unholy mess.

In a nutshell, if your site wasn’t protected within a few hours of Drupal’s announcement on October 15th, you need to restore it from an old backup or rebuild it from the ground up.

...

Whenever I read about the latest vulnerability in a popular WCMS, I wonder why static HTML export still doesn't seem to be a prioritized feature in popular systems.

Are there any well-maintained open-source CMS out there where static HTML export is an integral part of the architecture, ideally with good usability and written in PHP (not that I like the language, but that's what is available everywhere)? (I'm not talking about command line static site generators without a user-friendly backend - those are only an option for techies.)

I like how the commenter had to provide the disclaimer about not liking PHP in the Hacker News thread. It's probably a required disclaimer, otherwise the commenter could get booted off of HN and maybe the Internet.

Never admit that you like to program in PHP or like to develop around Wordpress.

At least the commenter was correct about command-line, static-site generators being only acceptable for techies.

Geeks enjoy using complicated things because: 1) it's not mainstream like using Wordpress and 2) it gives them a reason to try to simplify the process.

But one of the pros of using a static-site generator is to protect against security holes. But Drupal has existed since at least 2001, and it has a large community of developers. It seems like this security hole would have been found through testing.

One person creating an app in a vacuum could easily introduce a security hole, but it shows that even large, mature open source projects can be flawed at times.

More HN comments that suggest an interesting level of complexity

Can you use a hosted service? Wordpress.net, Shopify, that kind of thing? If you can make that work, that should be your first and only choice. If not... are you really sure that you can't use a hosted service? Okay, then build a site that does static HTML for end users, with a carefully locked-down admin section. On a different domain, if you can.

If you need dynamic features for users (a shopping cart, etc.), again, see if you can integrate a hosted service with your static site. If the reason you can't use a hosted service is because your client is too cheap to pay for it, do not take that client.

Otherwise, if your client absolutely needs bespoke, dynamic features for their end users, and absolutely no hosted service will work for them, they need to invest in a support contract, and you need to tell them up front that they'll have to do that. There are actually contractors out there that do long-term support for other people's apps, if you don't want to be saddled with it yourself.

...

From JR's : articles
616 words - 3744 chars - 3 min read
created on
updated on - #
source - versions



A     A     A     A     A

© 2013-2017 JotHut - Online notebook

current date: May 2, 2024 - 1:31 p.m. EDT