Slashdot Mirror

← Back to Stories (view on slashdot.org)

Update Drupal ASAP: Over a Million Sites Can Be Easily Hacked by Any Visitor (zdnet.com)

Posted by msmash on from the Drupalgeddon2 dept.

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site. From a report: The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal. The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600. Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System. Further reading: Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites (BleepingComputer). Commenting on security advisory that Drupal issued last week, BleepingComputer's Catalin Cimpanu said, "In the 9 years I've been around Drupal, I've never seen them publish such an apocalyptic security advisory."

8 of 65 comments (clear)

  1. Real Security Notice at the source by Moskit · · Score: 4, Informative

    https://www.drupal.org/sa-core...

    Saves time clicking through the articles.

  2. Drupal and Wordpress are awesome! by ilsaloving · · Score: 3, Insightful

    Their software is just such horrific shitshows that tons of money can be made from offering consulting and maintenance services.

    These systems are prime examples of exactly how not to write code. The biggest being: Don't mix code with data. They should be kept completely separate from one another.

  3. Re:Who still runs Drupal in 2018? by jellomizer · · Score: 2

    But the difference is. Drupal was made for the average Joe. Slashdot doesn't like technology that the average person off the street can use.
    How else do you show how superior you are to everyone else.

    We have one guy living in a nicely furnish home, where they have store bought fur nature. While Slashdotters are living in a home with furniture, that has rough edges, pieces that fall off, and sometimes bugs are eating them. Because they refuse to buy furniture, But went out into the woods, found a rock and banged it against another rock until they had some sort of blade, Used this stone blade to cut down a tree and chisel away enough of it to make it it appear to be like furniture.

    Sure there is pride in the accomplishment but at the end of the day, you may be stuck with less then quality furniture.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Patch for Drupal 6 and 5 too by Anonymous Coward · · Score: 2, Informative

    Drupal 6 and 5 are EOL, but still get patches due to the severity of the issue:

    For Drupal 6: https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch
    For Drupal 5: https://www.drupal.org/files/issues/2018-03-28/sa-core-2018-002-d5.patch

    From the Drupal 6 Long Term Support here: https://www.drupal.org/project/d6lts/issues/2955130

  5. Re:Turnkey by Gramie2 · · Score: 3, Insightful

    Yes, and become an expert in security (filesystem, network and databases especially), in accessibility, performance and optimization (especially caching), content searching.

    Oh, and your solution should be expandable to seamlessly handle e-commerce, calendaring, blogs, forums, email, producing and consuming RSS and Atom feeds, allow OAuth/Google/Facebook authentication.

    It should allow different layouts and menus on every page, if desired. It should be able to run headless, so that you can throw an Angular front-end on it. It should handle multiple websites with the same codebase. Give me an easy way to import and export data. And make it user-friendly so Brenda in Marketing can update our pages, including uploading images and embedding videos.

    I've been a developer at the early days of a custom CMS, and it was ugly, very ugly.

    There is a reason that CMSs exist, and not just because people are lazy, but because any one of the things I mentioned above is very hard to do right. Keeping up with changes in technology and evolving security risks is a full-time job for a bunch of people. To do all of it together is really, really hard and the reason that yesterday's security alert exists.

  6. Re:Yeah by dcollins117 · · Score: 2

    Undisclosed person of power: I want the report on Aria 51!

    Aria 51 is from one of Puccini's lesser-known and enigmatic operas "lombrichi dallo spazio" circa 1896.

    It caused quite a stir amongst the classe privilegiata.

  7. Re: Who still runs Drupal in 2018? by bjdevil66 · · Score: 2

    We use Pantheon, and it scales up Drupal for traffic/bandwidth without a hitch.

  8. Re:Who still runs Drupal in 2018? by bjdevil66 · · Score: 2

    We're a large, American university - and we're about 2/1 Drupal to WordPress.

    With that said, the key isn't which CMS is better. It's which CMS just works for them in terms of saving money and time. While our Drupal build isn't great, many departments use it because there's a pre-built, profile-based, customized version of Drupal that does 95% of what they want - and that's "Good Enough" (TM). They learn to deal with Drupal's UI shortcomings while we try to improve our existing UI to make it as easy for them to do their jobs as possible.

    In the meantime, the college has a WordPress system that is very efficient in giving them basic site spinups that match our university's Web standards.