You're viewing old version number 6. - Current version
Drupal security hole - October 2014
https://www.drupal.org/PSA-2014-003
http://grahamcluley.com/2014/10/assume-unpatched-websites-running-drupal-7-compromised/
https://news.ycombinator.com/item?id=8528605
Some excerpts from the above links:
Date: 2014-October-29
Security risk: 25/25 ( Highly Critical)Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Simply updating to Drupal 7.32 will not remove backdoors. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.
...
What a unholy mess.
In a nutshell, if your site wasn’t protected within a few hours of Drupal’s announcement on October 15th, you need to restore it from an old backup or rebuild it from the ground up.
...
Whenever I read about the latest vulnerability in a popular WCMS, I wonder why static HTML export still doesn't seem to be a prioritized feature in popular systems.
Are there any well-maintained open-source CMS out there where static HTML export is an integral part of the architecture, ideally with good usability and written in PHP (not that I like the language, but that's what is available everywhere)? (I'm not talking about command line static site generators without a user-friendly backend - those are only an option for techies.)
I like how the commenter had to provide the disclaimer about not liking PHP in the Hacker News thread. It's probably a required disclaimer, otherwise the commenter could get booted off of HN and maybe the Internet.
Never admit that you like to program in PHP or like to develop around Wordpress.
At least the commenter was correct about command-line, static-site generators being only acceptable for techies.
Geeks enjoy using complicated things because: 1) it's not mainstream like using Wordpress and 2) it gives them a reason to try to simplify the process.
But one of the pros of using a static-site generator is to protect against security holes. But Drupal has existed since at least 2001, and it has a large community of developers. It seems like this security hole would have been found through testing.
One person creating an app in a vacuum could easily introduce a security hole, but it shows that even large, mature open source projects can be flawed at times.
More HN comments that suggest an interesting level of complexity or maybe it's a conundrum.
Since it's 2014 and not 2004, many more useful services exist today than before, and these permit businesses or website owners to "outsource" certain functions.
Another HN thread discussed how site owners should use another service, such as MailGun, to manage email, especially outgoing messages.
I use MailGun with my Grebe blogging app to send the login link. I have not tried installing an email server on my DigitalOcean droplet. I still might, but it was easy to download the MailGun Perl module and use MailGun's API to send a message.
Today, it may be unnecessary for a site owner to try to install or build every function that's required of a web site, but it might also be hard to let go of or outsource certain functions.
Instead of having pieces of the site spread out across multiple services, site owners might prefer to install a CMS and its plugins that attempt to do everything that the site needs.
Anyway, some interesting ideas suggested by HN commenters:
Can you use a hosted service? Wordpress.net, Shopify, that kind of thing? If you can make that work, that should be your first and only choice. If not... are you really sure that you can't use a hosted service? Okay, then build a site that does static HTML for end users, with a carefully locked-down admin section. On a different domain, if you can.If you need dynamic features for users (a shopping cart, etc.), again, see if you can integrate a hosted service with your static site. If the reason you can't use a hosted service is because your client is too cheap to pay for it, do not take that client.
Otherwise, if your client absolutely needs bespoke, dynamic features for their end users, and absolutely no hosted service will work for them, they need to invest in a support contract, and you need to tell them up front that they'll have to do that. There are actually contractors out there that do long-term support for other people's apps, if you don't want to be saddled with it yourself.
...
the ideal system for small websites is a machine that is turned off by default, and when an admin needs to change something it is turned on (even if it takes a whole minute). After the changes are committed, the system creates html and sends to S3. For forms, comments, and dynamic things it's best to use third-party (like facebook comments and a billion forms services), or use a different small machine that captures user input (completely separate from the turned-off admin machine).
...
A separate machine/VM is better from an availability perspective.
...
How so? A separate machine is one more thing that can fail and since it isn't web facing it won't help with availability if the other one fails. And if it is a VM they will both go down if the underlying hardware fails.
...
E.g. the frontend can be replicated (if needed), S3 can be used, while the backend CMS remains intact. Or the backend CMS can be implemented in a HA setup and the static hosting in the cloud.
...
Sure, static export plug-ins do exist in plenty, but I don't think that core functionality like this should be implemented as a plug-in. First, if it isn't enabled by default, most people won't bother to enable it.
We shouldn't let perfect be the enemy of good. Even if some blog article from months ago won't get the updated shiny new sidebar, what's the matter? The New York Times still have content from the web stone age on their server [1] - it doesn't use the latest template, but isn't it more important that this content is still available? It probably wouldn't be had they used a dynamic CMS back in 2001.
...
As the creator of a static export module for Drupal, and a maintainer of another, I agree that in the end if it's not built into the core, it's not going to have much long-term viability. That said, D8 is built on services, which makes an interface for static export available basically out of the box.
...
> b) the whole web is moving towards contextual dynamic delivery.
But not using server side dynamism like Drupal provides. It is moving towards sites serving up static files consisting mostly of Javascript that then call data services, so called single page sites.
From JR's : articles
1176 words - 6941 chars
- 6 min read
created on
updated on
- #
source
- versions