Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Update Drupal ASAP: Over a Million Sites Can Be Easily Hacked by Any Visitor (zdnet.com) 65

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site. From a report: The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System. Further reading: Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites (BleepingComputer). Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."
This discussion has been archived. No new comments can be posted.

Update Drupal ASAP: Over a Million Sites Can Be Easily Hacked by Any Visitor

Comments Filter:
  • Seriously. The world has enough cat blogs.
    • by Anonymous Coward

      Ahh yes, an old fuck complaining about obsolete technology on Slashdot. Slashdot. The one written in Perl.

      I was wondering if they'd let you out of your room on a day pass long enough to show up, still calling everything Micro$$$haft and proclaiming Gentoo to be the way of the future perchance?

      • by XXeR ( 447912 )

        The one written in Perl.

        Hang on a second, what did Perl do to deserve getting pulled into this? Everything else was spot on, but that's taking it too far!!

      • But the difference is. Drupal was made for the average Joe. Slashdot doesn't like technology that the average person off the street can use.
        How else do you show how superior you are to everyone else.

        We have one guy living in a nicely furnish home, where they have store bought fur nature. While Slashdotters are living in a home with furniture, that has rough edges, pieces that fall off, and sometimes bugs are eating them. Because they refuse to buy furniture, But went out into the woods, found a rock and

        • by Bert64 ( 520050 )

          On the other hand a competent craftsman can produce much higher quality furniture than the cheap garbage built from reformed sawdust you get from most furniture retailers these days.

      • Ahh yes, an old fuck complaining about obsolete technology on Slashdot. Slashdot. The one written in Perl.

        I was wondering if they'd let you out of your room on a day pass long enough to show up, still calling everything Micro$$$haft and proclaiming Gentoo to be the way of the future perchance?

        You think he's old?!?

        by xxxJonBoyxxx ( 565205 )

        I'll show ya old, sonny. Sheesh, kids these days ...

    • by Anonymous Coward
      Universities and Government mostly. No one uses Drupal for blogging, you must be thinking of WordPress
      • We're a large, American university - and we're about 2/1 Drupal to WordPress.

        With that said, the key isn't which CMS is better. It's which CMS just works for them in terms of saving money and time. While our Drupal build isn't great, many departments use it because there's a pre-built, profile-based, customized version of Drupal that does 95% of what they want - and that's "Good Enough" (TM). They learn to deal with Drupal's UI shortcomings while we try to improve our existing UI to make it as easy for them

  • by Moskit ( 32486 ) on Thursday March 29, 2018 @10:59AM (#56346659)

    https://www.drupal.org/sa-core... [drupal.org]

    Saves time clicking through the articles.

  • by ilsaloving ( 1534307 ) on Thursday March 29, 2018 @11:11AM (#56346743)

    Their software is just such horrific shitshows that tons of money can be made from offering consulting and maintenance services.

    These systems are prime examples of exactly how not to write code. The biggest being: Don't mix code with data. They should be kept completely separate from one another.

    • Their software is just such horrific shitshows that tons of money can be made from offering consulting and maintenance services.

      I know, anyone with any sense has migrated to wordpress already.

    • by Anonymous Coward

      Yes, this code and data mixing is a horror. I don't understand why more people don't rail against it.

      • It's because the part of Drupal that's vulnerable is the part that satisfies Greenspun's rule: sufficiently complex software will contain an adhoc, bug ridden version of common lisp (i.e. render arrays, i.e. deferred evaluation). And lisp is about realizing that code is data.

        But without a language that has that built into its core, you're more likely to shoot yourself in the foot.

        By the way, if you don't think code and data will necessarily mix, your software never does anything surprising.

    • These systems are prime examples of exactly how not to write code. The biggest being: Don't mix code with data. They should be kept completely separate from one another.

      I'm confused as to what you're saying here. The data lives in a RDBMS, the code lives in PHP files. They're already in separate places.

      • It's actually mixed up all over the place, at all levels.
        Doesn't matter if it's at the database level, or the file level, physically. Logically, it doesn't matter if it's at the system level or the content level. Data and code is mixed at every possible level.

        Because absolutely zero thought was given to enforcing any kind of formal structure, the entire architecture of the systems guarantee that you will run into a whole whackton of issues, such as:
        -A giant honking attack surface to work with. It's physic

  • Remember when Drupal was supposed to be the “secure” alternative for a web CMS? Certainly over the past few years it seems to have had significantly more core vulnerabilities than Wordpress.

    (Note that I said “core”... plugins are another matter)

    • Remember when Drupal was supposed to be the âoesecureâ alternative for a web CMS?

      It still is. They have a security team that addresses vulnerabilities and they do a lot of work to maintain security in general. The fact that sometimes they fail does not change the fact that they are still the security-minded choice in prerolled CMSes. The average developer, trying to do all the things that Drupal does, might well also fail. Without many eyes on their code, they might well write serious security bugs which they do not catch.

      Once upon a time, you could build a wall and expect that it would

  • by Anonymous Coward

    Drupal 6 and 5 are EOL, but still get patches due to the severity of the issue:

    For Drupal 6: https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch
    For Drupal 5: https://www.drupal.org/files/issues/2018-03-28/sa-core-2018-002-d5.patch

    From the Drupal 6 Long Term Support here: https://www.drupal.org/project/d6lts/issues/2955130

  • And yet again, turnkey systems rear their ugly truth: If one is vulnerable, then they all are.

    Stay away from turnkey solutions, roll your own, know what you have and how it works.

    • Re:Turnkey (Score:4, Insightful)

      by Gramie2 ( 411713 ) on Thursday March 29, 2018 @03:44PM (#56348873)

      Yes, and become an expert in security (filesystem, network and databases especially), in accessibility, performance and optimization (especially caching), content searching.

      Oh, and your solution should be expandable to seamlessly handle e-commerce, calendaring, blogs, forums, email, producing and consuming RSS and Atom feeds, allow OAuth/Google/Facebook authentication.

      It should allow different layouts and menus on every page, if desired. It should be able to run headless, so that you can throw an Angular front-end on it. It should handle multiple websites with the same codebase. Give me an easy way to import and export data. And make it user-friendly so Brenda in Marketing can update our pages, including uploading images and embedding videos.

      I've been a developer at the early days of a custom CMS, and it was ugly, very ugly.

      There is a reason that CMSs exist, and not just because people are lazy, but because any one of the things I mentioned above is very hard to do right. Keeping up with changes in technology and evolving security risks is a full-time job for a bunch of people. To do all of it together is really, really hard and the reason that yesterday's security alert exists.

  • ... just like WordPress, only with worse usability and barrier to entry for developers. And unlike WordPress it's army of users and developers isn't even close in size. I have professionally developed for both WP and Drupal and given the choice I'd chose WordPress any time.

    • Wordpress tends to both have more remote code execution vulnerabilities, and be exploited more than Drupal in actual practice. There is no real evidence that one is higher quality than the other, only that Drupal's process is superior. They are better at curation, if not development. Both are capable of failure. I'm certain, though, that if I tried to implement all the parts of a CMS that I personally use, I'd do worse than either one.

  • I found something like this to be helpful instead a cms https://codeigniter.com/ [codeigniter.com] and if google wants to remove things from their search results try removing generic brandings like "powered by wordpress" ect...

Thus spake the master programmer: "Time for you to leave." -- Geoffrey James, "The Tao of Programming"

Working...