Drupal Warns of New Remote-Code Bug, the Second in Four Weeks

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.

A new twist on term 'open source'

[TheZeitgeist]

Apparently, the source is open more ways than one.

Re: A new twist on term 'open source'

But but but 1200 views, 6 subscribers.

He's going places.

Quick! Get a drum circle together!

Only with the power of caring and group-think can we overcome these nasty, racist/sexist/bigoted microaggression bugs. Someone fetch a Holy (non-denominational) Scroll of Code of Conduct!

Drupal - fix your shit. Full stop. These bugs? They're WAY more embarrassing (as viewed by the people who matter) than you spending your time kink-shaming your VOLUNTEER developers

How outrageous

[Billly+Gates]

Drupal and php are so well secured and up to date that this can happen is simply inconceivable

Re:How outrageous

[Narcocide]

Drupal and php are so well secured and up to date that this can happen is simply inconceivable

You keep using that word... I do not think it means what you think it means.

Re:How outrageous

[TFlan91]

fyi: saveie6.com yields 404

Re:How outrageous

[Torvac]

unpossible

A+ on stealing my potential clients

[Narcocide]

F- on retaining them.

Where are the sandboxes?

[goombah99]

Why don't developers just write code that doesn't have security holes in it?

Presumably because they can't. It's time we started programing computer resource sandboxes into every application by default.

Linux and Mac, and Windows all have things for this. Macs have a dtrace based sandbox that can be per application or per process.

sandboxes can specify what a process and all child processes can do at the computer resource level. Can they get on the network? Can they access the file system? what files can they access? do they have write permission? how much memory can they use? how much cpu? and so on.

If we always launched processes with these clamped down a lot of security holes would not be exploitable. Why is it these are largely unused?

Re: Where are the sandboxes?

You forgot stupid.

Re:Where are the sandboxes?

If we always launched processes with these clamped down a lot of security holes would not be exploitable. Why is it these are largely unused?

Because the ecosystem supporting these solutions -- the very ecosystems that attracted wide usage and community support -- requires that the software extensions and APIs be writable by amateurs. And also because people use these solutions to Actually Make Money.

So yes, a CMS can be designed a product that has sandboxes, best practices, etc.. But it will either be (a) proprietary and have high-end service contracts (IBM), or (b) not popular and unused.

Re:Where are the sandboxes?

[Njovich]

What's the point of that when the real sensitive data is in the website? The PHP code still has to access the database. Who cares about anything else? Either way, it's pretty standard practice these days to run sites in a separate VM or otherwise sandboxed environment.

Re: Where are the sandboxes?

So... You're saying Drupal is for the incompetent, and it's insecure by design. Got it.

Re:Where are the sandboxes?

[Billly+Gates]

You mean like containers that Linux and Amazon use and very recently Windows and Azure Linux/Windows serverless?

Problem is it doesn't solve SQL access bugs even if you can generate another container the data is still compromised

Kids today use node.js and frameworks from Azure and Amazon that are secured and unfortunately locked to these platforms.

Coders should not be security experts. The frameworks should which PHP has shown are not written by such

Re:Where are the sandboxes?

Of course, the Drupal installation guide doesn't mention containers or separate VMs.

https://www.drupal.org/docs/8/...

It's like a time capsule from 2008, dressed up to look like something from 2012. They are trying to disguise how far behind the times they are with a Richard Nixon mask.

Re: Where are the sandboxes?

[Z00L00K]

Why do people use php?

Re: Where are the sandboxes?

Why do people use php?

This again?

Some people use PHP because it is very easy to get started with, can be found and hosted almost everywhere, and has tons of examples, libraries and applications available for it, WordPress and Drupal being two of them.

Others may use it for different reasons, ranging from begin lazy to simply not caring about the language as such and just use to tool made available to them for whatever task needs to be dealt with.

Is PHP a good and well-designed programming language? Heck, no. Is it popular and very widely used? Yes.

Not sure what else you want to know.

Re: Where are the sandboxes?

[goose-incarnated]

Why do people use php?

Same reason they use python - you don't need to be aware of much to get results. In reality, there is very little difference between python and php other than (around) a 200:1 ratio of code in the field and that php is almost exclusively found in world-facing code and python isn't.

Re:Where are the sandboxes?

sorry.

Are You Looking Travel Agent, Car Rental, Luxury Bus Booing, Tempo Traveller Rental, Taxi Booking, Travel Agency. In Lucknow Contact A2Z Travels.

Garbage In, Garbage Out

Drupal and PHP to be avoided at all costs, if you care about security.

Failure has 1000 mothers

Oh, stop.

The problem is not with the Code of Conduct. The problem is with an aging codeset pretending to be up to the challenges of 2018.

The people who developed Drupal and made it a thing worth using left the building a long time ago. The people who maintain it now are trying to shoehorn Symphony into their API / hook system while also implementing RESTful web services, upgrading legacy modules, modernize the test framework, working out issues with the templating system, coming up with a decent migration system that doesn't rely on the command line, removing workflow dependencies on Composer, implement a React-based admin interface, etc.

Doing too much all at once doesn't leave them with the time to do much right.

This is all happening while the number of actual committers has dropped by over 70% in the past five years. Wordpress outnumbers Drupal installs 30 to 1. Organizations who traditionally used Drupal as a lightweight content management system are finding it takes heavily customized work to upgrade their websites. ECM customers are finding Drupal lacks governance features that are absolutely necessary to operate multiple digital properties, making it a cheap alternative to a real platform.

Losing your developer base while alienating the people who championed your system in order to pursue the enterprise is terrible for the entire ecosystem.

Just look at the videos from the most recent Drupalcon. The sessions are all over the place, there's one about using Drupal to build video games. Anyone who chooses to use Drupal as a video game platform should be fired, considering the number of other reliable platforms that are available. But it's right there, the community is pushing bad advice on people for how to run their digital enterprise.

Pretending your platform is suitable for use in domains that are well-served by better solutions is a bad idea. Highlighting this sham as an example of the possibilities at your major marketing events is off-the-charts dishonest.

Sure, with all this upheaval, it's natural for a group of volunteer coders to point fingers and blame other people. They're only human.

Every problem with Drupal can be traced back to a failure to prioritize, an incompetent Core development team trying to pass themselves off as experts based on the achievements of others, and sham marketing. The Code of Conduct is just an expression of these other problems. TBH, it's funny watching them flail.

Re:Failure has 1000 mothers

[hierofalcon]

The problem is that with every major release they completely revamp the API. Nobody who develops for them can keep up with the changes and there's no automated way that works to upgrade source from release to release. If you choose to use a module because there isn't something you need in core, then you're stuck till the module gets converted to the newest release which may never happen. Eventually, your mind just screams.

The path to secure code isn't rewriting everything from the ground up with each release. I know that's an exaggeration, but it sure seems like it. The path to secure code is to get things close to right the first time and then do minor tweaks and fixes from then on.

Re:Failure has 1000 mothers

Your modules get converted to the newest release?

Been waiting for a stable release of Organic Groups for Drupal 8 since 2015. The releases on github can't be uninstalled and wreck test sites.

Re:Failure has 1000 mothers

Nailed it.

D8 is a bloated frankenstein mess, and the sheer quantity of contrib modules that STILL haven't been ported to it yet (D8 was launched in 2015...) tells you all you need to know about the developer exodus that has occurred. Config Management was supposed to solve Drupal's horrible "structure and config stored in DB" design flaw, but by all accounts it's just another complicated mess to manage now.

We ditched Drupal and switched to Silverstripe as our go-to CMS/framework years ago. This has proven to be an excellent decision.

Re:Failure has 1000 mothers

The original developers left and it fails to attract new developers probably because of how it has been turned into an SJW platform, pushing out all the productive people. Other projects manage quite well with less.

The problem is obvious

[swm]

the open-source CMS built on the PHP programming language

Re:The problem is obvious

add "by a bunch of incompetents" so you get the full understanding of just how big a clusterfuck Drupal is. This is something you should avoid at all cost for any system that has some value to you. Worse still are the idiots that masquerade as Drupal consultants, insane rates and what they churn out is absolute shit.

Re:The problem is obvious

[iggymanz]

it does seem PHP panders to low-talent and lazy developers who make all manner of insecure platforms and modules. A developer who decides to go into PHP is much like a person who joins the band to play the triangle.

Re:The problem is obvious

so you get the full understanding of just how big a clusterfuck WordPress, Joomla, AND Drupal are.

FTFY. All three projects are run by people who don't know the first thing about developing software let alone a major commercial software product.

Re:The problem is obvious

[bloodhawk]

Worse still are the idiots that masquerade as Drupal consultants, insane rates and what they churn out is absolute shit.

Not wanting to defend Drupal Developers BUT, when you start with a turd, no matter how you mould and shape it what you will end up with will still be at its heart a turd.

Re:The problem is obvious

PHP has nothing to do with this. The same programmers would have done the same in any other language (would be 100x worse with C).

Drupal... what a waste

I had my first encounter with Drupal and a book "Beginning Drupal" by WROX press. It was supposed to cover Drupal 7. Please, no one ever waste your money on this. I discovered a lot about "Quick and dirty" publishing, and about Drupal. The phrases "the picture you see may have changed since date of publication", and "the API may have changed since time of publication" should help you with your decision. I found those phrases *A LOT* in that book. I got every example to work though. It just took a huge effort on my part, having written a lot of software in a lot of other languages. That there are other ongoing problems with Drupal, that there seem to be fires flaring up that the maintainers are having a difficult time putting out, that the ever-changing API and its ability to break a shocking amount from version to version comes as no surprise. Before settling on a CMS, I tried a few. Those that were either poorly documented, or were undertaking large and destructive changes to the API, I decided to leave alone. Drupal was one I left alone.

mod anon up

Drupal is actually worse than Wordpress. Garbage

Wrong.

PHP is my go-to language of choice long before Python, Ruby, Go, NodeJS, Rust, Perl, D, C++, etc. It's a superior platform in the hands of someone who knows what they are doing. No language out there *natively* comes close to touching the power, flexibility, and performance of PHP arrays, which are the ultimate data structure with near-O(1) insert, update, delete, and find operations that keeps the order of elements: The hash table + linked list solution to data management is, quite frankly, brilliant.

Only a fool would disregard PHP as only for "low-talent and lazy" developers. Systems developers would be wise to adopt PHP into their workflows. PHP is also extremely useful as a command-line scripting tool. All of my cron jobs are PHP scripts. Half of my installers are command-line PHP scripts (e.g. SSH automation).

Re:Wrong.

[iggymanz]

Nonsense, a company running those multiple systems will have the PHP ones broken into early and often. Web application firewalls will have the most rules devoted to php flaws and exploits. It is the insecure malware ridden choice, and the low wage developers are the ones who work on it. in short, it panders to low watt bulbs and is an attack and malware magnet.

Re:Wrong.

Not sure if funny or serious.

I guess your imagination is limited

[goombah99]

To try to answer your ridicule patiently imagine the following. A program running in a sandbox without data base access handles the requests and then sends messages to other processes in each of the other sandboxes for the various sub tasks.

*The customer database verification
* Backend accounts/card processing interface to process and record sales
etc..

the verification is only permitted to set a semiphore (true false) to comunicate the varification back to the master process.

And so on. Every process is given limited resource access and very limited communication access to another process. As much as possible the communications are handled through single duplex deadrops (like a semaphore).

this would massively cut down the ways to exploit a defect in one subsystem.

it's analgous to validating your inputs but much better because the program litterally lacks the resources to perform most invalid actions even if the input validation fails.

Drupal is ancient crap.

Those still using it deserve whatever consequences their folly entails.

PHPNuke throwbacks

[PeterGM]

I'm getting awfully nostalgic for the security addled PHPNuke right now. Reminds me of the good old days when even basic user data sanitatizaton seemed to be considered an excessive novelty.

Perhaps "good old days" is not the best way to describe it, actually.

Not really a NEW bug

[ericlondaits]

The original bug was a way to compose query string parameters (the part of the URL after the ?) that permitted injecting executable code in a form. The new bug is a variation where the malicious query string is part of a redirect URL passed through the query string, so it doesn't get filtered with the previous patch, because it has escaped characters. So it's not really a new bug, but rather plugging an oversight on the original patch.

On the positive side: Drupal has security audits of its core and 3rd party components, you get emails with any security updates and the patches are available through a centralized mechanism... so it's ahead of Wordpress and other platforms with no centralized module library. Release of the patches was announced ahead of time so we could prepare for them. I

On the negative side: Drupal has fundamental architectural problems of (almost) not having boundaries between data and code. It's form API (which had the original bug) is very practical and implements a lot of great security features, but it's an unfathomable mess... VERY hard to track what it does and very hard to properly use (for 3rd party module developers), since its internal workings are not properly documented. Also, Drupal has a very very extensible architecture allowing for all sort of pluggable behavior, which also means it's very very hard to track the flow of data... this was a bug present at least since Drupal 6 (released in 2008) because it was not easy to see how data could move from the query string into the PHP structures used to define forms without proper filtering. The new-ish Drupal 8 has a more mature OO architecture, probably cleaner, but even harder to follow without actually running the code with a debugger.

Re:Not really a NEW bug

As explained in this description of the vulnerability, the patch back then didn't deal with any of the underpinning issues. And neither does the new patch for Drupal 7 nor the new patch for Drupal 8. The known avenues of attack may have been plastered over, but the vulnerability is still lies dormant, waiting.

Re:Not really a NEW bug

[ericlondaits]

Yes, the patch is a bit "heavy handed" just doing coarse query string filtering... but on the other hand that may have helped delay attacks a bit, by not pinpointing the specific mechanism of exploitation.

Re:Not really a NEW bug

It did next to nothing to delay exploitation, although admittedly I'm saying this with the benefit of hindsight. The problem was that people who know how Drupal works saw that the patch filtered keys starting with # and they knew that keys starting with # can have special meaning in Drupal. So then the question becomes: which part of Drupal that assigns special meaning to # allows you to execute arbitrary code? And people put two and two together fairly quickly.
And this changes little about the fact that the underlying vulnerability is still present and might be exploited in the future using some different line of attack, perhaps one introduced by a new feature added to some future version of Drupal. And there's the question of whether it's a good idea to deliberately apply code changes in the least natural spot, a.k.a. write bad code, in order to throw attackers of the scent. And there's the deeper problem that this vulnerability was caused by multiple really bad decisions and this, how to put it mildly, flavour of code is endemic in Drupal's entire codebase and this is clearly part of the culture of Drupal's developers and arguably the developer pool they're recruiting from. Your claim that Drupal has had security audits sounds really hollow when seen in context.