Update Drupal ASAP: Over a Million Sites Can Be Easily Hacked by Any Visitor

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site. From a report: The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System. Further reading: Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites (BleepingComputer). Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."

Who still runs Drupal in 2018?

[xxxJonBoyxxx]

Seriously. The world has enough cat blogs.

Re:Who still runs Drupal in 2018?

Really? On the same day Boeing gets infected with WannaCry? You are one arrogant piece of shit.

Re:Who still runs Drupal in 2018?

Ahh yes, an old fuck complaining about obsolete technology on Slashdot. Slashdot. The one written in Perl.

I was wondering if they'd let you out of your room on a day pass long enough to show up, still calling everything Micro$$$haft and proclaiming Gentoo to be the way of the future perchance?

Re:Who still runs Drupal in 2018?

The one written in Perl.

whats ur flavor my dude
node? ruby? ima guess python
oooo is it rust

Re:Who still runs Drupal in 2018?

Universities and Government mostly. No one uses Drupal for blogging, you must be thinking of WordPress

Re:Who still runs Drupal in 2018?

[XXeR]

The one written in Perl.

Hang on a second, what did Perl do to deserve getting pulled into this? Everything else was spot on, but that's taking it too far!!

Re:Who still runs Drupal in 2018?

[jellomizer]

But the difference is. Drupal was made for the average Joe. Slashdot doesn't like technology that the average person off the street can use.
How else do you show how superior you are to everyone else.

We have one guy living in a nicely furnish home, where they have store bought fur nature. While Slashdotters are living in a home with furniture, that has rough edges, pieces that fall off, and sometimes bugs are eating them. Because they refuse to buy furniture, But went out into the woods, found a rock and banged it against another rock until they had some sort of blade, Used this stone blade to cut down a tree and chisel away enough of it to make it it appear to be like furniture.

Sure there is pride in the accomplishment but at the end of the day, you may be stuck with less then quality furniture.

Re:Who still runs Drupal in 2018?

I wouldn't run Drupal either, but I'm curious what you would use instead?

Re:Who still runs Drupal in 2018?

drupal? never has that piece of shit ever been targeted at the "average joe"?

Re:Who still runs Drupal in 2018?

[cascadingstylesheet]

Ahh yes, an old fuck complaining about obsolete technology on Slashdot. Slashdot. The one written in Perl.

I was wondering if they'd let you out of your room on a day pass long enough to show up, still calling everything Micro$$$haft and proclaiming Gentoo to be the way of the future perchance?

You think he's old?!?

by xxxJonBoyxxx ( 565205 )

I'll show ya old, sonny. Sheesh, kids these days ...

Re: Who still runs Drupal in 2018?

Please tell us the alternative. If itâ(TM)s Wordpress go directly to jail, do not pass go or collect 200 pounds...

Re:Who still runs Drupal in 2018?

[Bert64]

On the other hand a competent craftsman can produce much higher quality furniture than the cheap garbage built from reformed sawdust you get from most furniture retailers these days.

Re: Who still runs Drupal in 2018?

Well obviously something written in Python by a zit faced fresh java grad using MongoDB hosted on AWS. What else?

Do you even webscale bro?

Re: Who still runs Drupal in 2018?

[bjdevil66]

We use Pantheon, and it scales up Drupal for traffic/bandwidth without a hitch.

Re: Who still runs Drupal in 2018?

Yup, drupal is for large shitty websites with complex feautures

Re:Who still runs Drupal in 2018?

[bjdevil66]

We're a large, American university - and we're about 2/1 Drupal to WordPress.

With that said, the key isn't which CMS is better. It's which CMS just works for them in terms of saving money and time. While our Drupal build isn't great, many departments use it because there's a pre-built, profile-based, customized version of Drupal that does 95% of what they want - and that's "Good Enough" (TM). They learn to deal with Drupal's UI shortcomings while we try to improve our existing UI to make it as easy for them to do their jobs as possible.

In the meantime, the college has a WordPress system that is very efficient in giving them basic site spinups that match our university's Web standards.

Re:Who still runs Drupal in 2018?

[keithm]

Are you saying that *you* are old? (smile)

This is my first Slashdot comment since 1999.

And the first web site I wrote used Visual dBase as the back end.

Re:Who still runs Drupal in 2018?

[um...+Lucas]

What are you going on about? Geez.

Kids these days...

Re:Who still runs Drupal in 2018?

[um...+Lucas]

Got ya beat.

You Fail It

But It's Open Source! That means it's bug free and secure by definition, right?!

Re:You Fail It

[SQLGuru]

No, it just means the bugs are easier to find and exploit.......

Re:You Fail It

With enough eyes, all exploits are shallow...

Re: You Fail It

No it just means if you can fix it yourself nothing is in your way.

If only there was a professional

who takes care of government IT and could make a video explaining this to us, as well as a solution.

If only.

But that person is busy creating drama with 25 sockpockets and making videos no one cares about* about getting ticket refunds.

*: Go ahead Chris, quote us the three extra views you got yesterday.

Re:If only there was a professional

Which Chris? McGrath, Stone, Panza, Miller, Sloan?

There's already a problem, no one needs to be making it worse.

Real Security Notice at the source

[Moskit]

https://www.drupal.org/sa-core...

Saves time clicking through the articles.

Re:Real Security Notice at the source

[THE_WELL_HUNG_OYSTER]

Here's the patch for 8.5: https://cgit.drupalcode.org/dr... Notice that the sanitize_input_whitelist values aren't defined anywhere in the patch.

Re:Real Security Notice at the source

yes they are, whitelist is empty by default:
+ $whitelist = variable_get('sanitize_input_whitelist', array());

Re:Real Security Notice at the source

That's for developer use. The patch itself automatically strips out the problem character: #

If a developer wishes to add more characters to that list, that variable is there for that reason.

Re:Real Security Notice at the source

The patch is really scary. From what I can tell, it basically strips out all URL, post and cookie parameters. My knowledge of the language and the fact that this is a RCE tell me that something is treating this user-supplied data as code or instructions to run code. And given that the patch doesn't contain anything related to that, it tells me that the underlying problem isn't fixed.

Re: Real Security Notice at the source

Glad I was not the only one who noticed.

Yeah

And over a million sites arnt even indexed by search engines and are forgotten by their owners. The others that are effected by this are probably chem trail/flat earth sites done up with a beautiful array of colors like lime green, hot pink, with white new times roman lettering in one giant table and numerous broken links.

Re:Yeah

hey man conspiracy theories are experiencing a real renaissance right now after trump's election. who knows what kind of clues might be hidden on an old school chemtrails site. actually, that gives me a fakenews idea! make a real old web 1.0 site about some shit relevant today, and be like omg this conspiracy nut from 1999 predicted this shit! pay some prick on youtube with a million followers to gush about it for five minutes, and watch the traffic roll in. then sell them an ebook on investing in gold bullion or whatever.

Re:Yeah

[jellomizer]

But the people who know the real scoop on most of these conspiracy keep on getting fired.

Undisclosed person of power: I want the report on Aria 51!
Undisclosed cabinet member: Here it is. They are about a dozen failed jet engine designs. and a couple of them that are considered out of date.
Undisclosed person of power: And the UFO
Undisclosed cabinet member: That was actually just a weather balloon. They launched them to get an idea of how the wind was going in the atmosphere to determine if is was safe for a test flight that night. It was blown off course. So the military picked it up, because they didn't want someone to get a hold of the broadcast radio, which was using a top secrete frequency.
Undisclosed person of power: That boring and rational. Your fired, I needed you to tell the "Truth"

Re:Yeah

[dcollins117]

Undisclosed person of power: I want the report on Aria 51!

Aria 51 is from one of Puccini's lesser-known and enigmatic operas "lombrichi dallo spazio" circa 1896.

It caused quite a stir amongst the classe privilegiata.

Gor

Gorean BDSM would have made Drupal behave like a good bitch should.

Re:Gor

If Drupal's core team was focused on writing good software instead of expelling members, problems like this would not occur.

This problem started with the 8.3 branch, with a core committer who did not understand sanitize_input needs a whitelist to sanitize against. Core committers are supposed to set the example, not act like impulsive coders who can't RTFM on software that's been well-documented.

Drupal used to have a competent team who could catch each other's mistakes. Now it's a bunch of paranoid freaks writing manifestos and keeping shitlists about anyone who does not agree with their ideas about feminist intersectionality and praxis.

How they find the time for releases is beyond me. It's going to cost about $20 million to patch 1 million websites worldwide.

https://twitter.com/drupalincl...

Drupal and Wordpress are awesome!

[ilsaloving]

Their software is just such horrific shitshows that tons of money can be made from offering consulting and maintenance services.

These systems are prime examples of exactly how not to write code. The biggest being: Don't mix code with data. They should be kept completely separate from one another.

Re:Drupal and Wordpress are awesome!

[thegarbz]

Their software is just such horrific shitshows that tons of money can be made from offering consulting and maintenance services.

I know, anyone with any sense has migrated to wordpress already.

Re:Drupal and Wordpress are awesome!

[bjdevil66]

You did notice that he was ripping Drupal AND WordPress, right?

Re:Drupal and Wordpress are awesome!

Yes, this code and data mixing is a horror. I don't understand why more people don't rail against it.

Re:Drupal and Wordpress are awesome!

[drinkypoo]

These systems are prime examples of exactly how not to write code. The biggest being: Don't mix code with data. They should be kept completely separate from one another.

I'm confused as to what you're saying here. The data lives in a RDBMS, the code lives in PHP files. They're already in separate places.

Re:Drupal and Wordpress are awesome!

I think he's talking about the fact that a PHP file can contain HTML, and after processing is almost entirely "data," i.e. the HTML code is not code because it encapsulates content.

The tricky bit is that HTML is a markup language, it's intended to be mixed with "data" (i.e. your content) and trying to separate them gets ugly.

The best templating system I saw years ago (can't remember the name) used PHP to read in a generic HTML template, parse the DOM into an object tree, and then send it to a renderer for final output as HTML+CSS+JS. It was great because the designers could work on a template in Dreamweaver using "dummy" content and not worry about the dynamic stuff. The downside was it was slooooooow.

Re:Drupal and Wordpress are awesome!

[ilsaloving]

It's actually mixed up all over the place, at all levels.
Doesn't matter if it's at the database level, or the file level, physically. Logically, it doesn't matter if it's at the system level or the content level. Data and code is mixed at every possible level.

Because absolutely zero thought was given to enforcing any kind of formal structure, the entire architecture of the systems guarantee that you will run into a whole whackton of issues, such as:
-A giant honking attack surface to work with. It's physically impossible to lock anything down as a preventative measure, because the data needs to be able to change.
-Maintenance is an absolute nightmare because code and data can be literally anywhere, so being able to export and import records is very challenging, or basically trying to do anything that vaguely resembles formal development/approval processes.

The best you can do is try to impose some kind of rigidity through various methods such as judicious use of carefully curated plugins or specifically avoid using features that make the problem worse. For example, if you don't permit article comments, forums, or anything that requires write-access, then you can treat the entire site as one fixed object. You can then have one instance of it that is writeable for making your updates on, then when you're happy you move the entire site to it's "production" instance and make the entire thing read-only to prevent malicious actors from making changes to it.

Security

[93+Escort+Wagon]

Remember when Drupal was supposed to be the “secure” alternative for a web CMS? Certainly over the past few years it seems to have had significantly more core vulnerabilities than Wordpress.

(Note that I said “core”... plugins are another matter)

Re:Security

Here's the patch for 8.5:
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
I dont see sanitize_input_whitelist -- presumably the list of chars to strip from input -- defined anywhere in the patch. It looks like a key into a dictionary or configuration key, but where is the value defined?

Re:Security

No, a whitelist is a list of strings that are not filtered. It's empty unless otherwise set in Settings, which makes sense.+ (array) Settings::get(RequestSanitizer::SANITIZE_WHITELIST, []),

+ /**
+ * The name of the setting that configures the whitelist.
+ */
+ const SANITIZE_WHITELIST = 'sanitize_input_whitelist';

Re:Security

[drinkypoo]

Remember when Drupal was supposed to be the âoesecureâ alternative for a web CMS?

It still is. They have a security team that addresses vulnerabilities and they do a lot of work to maintain security in general. The fact that sometimes they fail does not change the fact that they are still the security-minded choice in prerolled CMSes. The average developer, trying to do all the things that Drupal does, might well also fail. Without many eyes on their code, they might well write serious security bugs which they do not catch.

Once upon a time, you could build a wall and expect that it would protect you pretty well. Then someone invented the ladder, and the rest is history. Ever since, it's been both an arms race, and a situation where the only defense is defense in depth. Security is a process, not a product, and several other platitudes.

Did you just figure out APKs plans

Did you just figure out how APK plans to make money but with some of the details changed?

Aww...

Could not have happened to a nicer "one size fits none" piece of crap CMS build by a Belgian bigot...

Everybody is a haxxor nao!

Everybody is a hacker nao
Everybody is a hacker nao
Give me the hacks
Give me the hacks
Everybody is a hacker nao
Everybody is a hacker nao

Yeah, yeah, yeah
Everybody is a hacker nao
Yeah, yeah, yeah
Everybody is a hacker nao

Remember yesterday in infamy

Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."

We will call it DrupalWTF Day.

Modsecurity mitigation

I'm testing this (overly broad) Modsecurity rule to mitigate it:

SecRule ARGS|REQUEST_URI|REQUEST_COOKIES "@rx \[(['\"]|%27)" "phase:2,id:850010,msg:'Drupal SA-CORE-2018-002 attack',severity:CRITICAL,deny,log,auditlog,status:403,logdata:%{MATCHED_VAR}"

Patch for Drupal 6 and 5 too

Drupal 6 and 5 are EOL, but still get patches due to the severity of the issue:

For Drupal 6: https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch
For Drupal 5: https://www.drupal.org/files/issues/2018-03-28/sa-core-2018-002-d5.patch

From the Drupal 6 Long Term Support here: https://www.drupal.org/project/d6lts/issues/2955130

Turnkey

[duke_cheetah2003]

And yet again, turnkey systems rear their ugly truth: If one is vulnerable, then they all are.

Stay away from turnkey solutions, roll your own, know what you have and how it works.

Re:Turnkey

[Gramie2]

Yes, and become an expert in security (filesystem, network and databases especially), in accessibility, performance and optimization (especially caching), content searching.

Oh, and your solution should be expandable to seamlessly handle e-commerce, calendaring, blogs, forums, email, producing and consuming RSS and Atom feeds, allow OAuth/Google/Facebook authentication.

It should allow different layouts and menus on every page, if desired. It should be able to run headless, so that you can throw an Angular front-end on it. It should handle multiple websites with the same codebase. Give me an easy way to import and export data. And make it user-friendly so Brenda in Marketing can update our pages, including uploading images and embedding videos.

I've been a developer at the early days of a custom CMS, and it was ugly, very ugly.

There is a reason that CMSs exist, and not just because people are lazy, but because any one of the things I mentioned above is very hard to do right. Keeping up with changes in technology and evolving security risks is a full-time job for a bunch of people. To do all of it together is really, really hard and the reason that yesterday's security alert exists.

Re:Turnkey

Stop spreading FUD.

Use a CMS if you need to get the job done fast, use Go, Rust, Elixir if you want to get the job done right.

There are commonly used, peer-reviewed design patterns for most major platforms that make it possible to rapidly implement the features mentioned individually, without the constraints of a CMS. The only people who don't seem to know that are the people who only focus on Drupal / Wordpress / Joomla.

Today's security release exists because the Core Development team doesn't know how to set sane defaults. Most commits right now are cut and paste jobs that are only tested in the barest sense of the word. Scalability, integration tests, unit tests, etc, which could reveal problems like this, are not even thought about.

Drupal 8 is a joke.

Subjects on posts are stupid.

[thegarbz]

Nope. Who the fuck reads subjects anyways. Subjects on posts are stupid.

Drupal is a mess ...

[Qbertino]

... just like WordPress, only with worse usability and barrier to entry for developers. And unlike WordPress it's army of users and developers isn't even close in size. I have professionally developed for both WP and Drupal and given the choice I'd chose WordPress any time.

Re:Drupal is a mess ...

[drinkypoo]

Wordpress tends to both have more remote code execution vulnerabilities, and be exploited more than Drupal in actual practice. There is no real evidence that one is higher quality than the other, only that Drupal's process is superior. They are better at curation, if not development. Both are capable of failure. I'm certain, though, that if I tried to implement all the parts of a CMS that I personally use, I'd do worse than either one.

Re:Drupal is a mess ...

Remind me again how WordPress helps plugin and theme developers avoid XSS, CSRF, and SQL Injection vulnerabilities? Through the core Form API, right? oh wait. WordPress doesn't have one.

Oh, and how many WordPress plugins get security coverage by the WordPress security team? Oh right, none of them (unless they receive an actual disclosure).

The problem with security in WordPress are all of its plugins, none of which are universally adopted, none of which get much security attention, many of which are proprietary and rarely see outside review.

Drupal wins on security hands down because it lays out best practices for module developers, and most plugins in widespread use get security coverage.

https://www.freelock.com/blog/john-locke/2018-03/drupalgeddon2-should-i-worry-about-critical-security-updates

code igniter

[wolfheart111]

I found something like this to be helpful instead a cms https://codeigniter.com/ and if google wants to remove things from their search results try removing generic brandings like "powered by wordpress" ect...

Greenspun's Tenth Rule

[UnConeD]

It's because the part of Drupal that's vulnerable is the part that satisfies Greenspun's rule: sufficiently complex software will contain an adhoc, bug ridden version of common lisp (i.e. render arrays, i.e. deferred evaluation). And lisp is about realizing that code is data.

But without a language that has that built into its core, you're more likely to shoot yourself in the foot.

By the way, if you don't think code and data will necessarily mix, your software never does anything surprising.