Drupal Warns of New Remote-Code Bug, the Second in Four Weeks

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.

A new twist on term 'open source'

[TheZeitgeist]

Apparently, the source is open more ways than one.

How outrageous

[Billly+Gates]

Drupal and php are so well secured and up to date that this can happen is simply inconceivable

Re:How outrageous

[Narcocide]

Drupal and php are so well secured and up to date that this can happen is simply inconceivable

You keep using that word... I do not think it means what you think it means.

Where are the sandboxes?

[goombah99]

Why don't developers just write code that doesn't have security holes in it?

Presumably because they can't. It's time we started programing computer resource sandboxes into every application by default.

Linux and Mac, and Windows all have things for this. Macs have a dtrace based sandbox that can be per application or per process.

sandboxes can specify what a process and all child processes can do at the computer resource level. Can they get on the network? Can they access the file system? what files can they access? do they have write permission? how much memory can they use? how much cpu? and so on.

If we always launched processes with these clamped down a lot of security holes would not be exploitable. Why is it these are largely unused?