Story 2014-11-02 2TW2 Recently discovered bug means most or all Drupal sites have been compromised

Recently discovered bug means most or all Drupal sites have been compromised

by
in internet on (#2TW2)
story imageDrupal is an open source content management system and more that powers millions of websites worldwide. Liked for its configurability and endless extension through modules, Drupal is a huge part of Web 2.0. And it's been thoroughly rooted. The BBC is reporting:
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised. Anyone who had not yet updated should do so immediately, it warned. However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
This one is nasty. Security researcher Graham Cluly reports:
According to the company, "automated attacks" started to hit websites running Drupal version 7 within a matter of hours of it disclosing a highly critical SQL injection vulnerability on October 15th.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

If a site using a vulnerable version of the Drupal CMS is attacked, hackers could steal information from the site or open backdoors to allow them continued remote access to the system.
If your site has been compromised, This Drupal help page gives you an answer to the question Now what do I do? But here's a tip from your friendly editor zafiro17: Step one is "pour yourself a nice glass of scotch and drink it. You're going to be wiping the site and starting over." No charge for that advice.

[Ed. note: This just in from Joomla: "Nyah nyah!"]
Reply 11 comments

Dominant stack (Score: 0)

by Anonymous Coward on 2014-11-03 08:15 (#2TWA)

I cringe to think what it would be like if this was a piece of a dominant stack like Microsoft or SAP

Re: Dominant stack (Score: 1)

by zafiro17@pipedot.org on 2014-11-03 11:24 (#2TWC)

Drupal is pretty darned dominant though, in the web content world, anyway. I know Wordpress is probably the biggest one out there but Drupal is probably second I'd think, or not far away from the top, anyway. But on /. and elsewhere, wherever a Drupal thread comes up there's an instant reaction from people who have programmed for it, and they complain it's a hairball of spaghetti code. Maybe this was a train wreck in the making and anybody who knew the code knew sooner or later it would happen.

Still, how would you like to be the person responsible for writing a security announcement that goes, "unless you've patched recently, you have probably already been compromised?" That's got to be pretty uncomfortable.

Re: Dominant stack (Score: 1)

by zafiro17@pipedot.org on 2014-11-03 11:25 (#2TWD)

Oh, and before Microsoft pats itself on the back, there's a vuln going around now that uses freaking Powerpoint as a vector, so Microsoft isn't free and clear yet either:

http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/

Powerpoint, fer Chrissake. How long have we been dealing with this? Adobe, same thing. So tired of updating Adobe products.

Re: Dominant stack (Score: 2, Interesting)

by Anonymous Coward on 2014-11-03 14:50 (#2TWG)

That's what really gets me about these recent exploits. They get tons of publicity, but similar ones from the big proprietary vendors are kept quiet. So now my PHB thinks that security is only an issue with OSS.

Re: Dominant stack (Score: 1)

by zafiro17@pipedot.org on 2014-11-03 17:52 (#2TWJ)

Sure seems like the exploits by big vendors' software make a pretty big splash too - there sure is a lot of press about the latest Microsoft hacks - The Register.co.uk for example has a field day with "Patch Tuesday."

Re: Dominant stack (Score: 0)

by Anonymous Coward on 2014-11-03 22:31 (#2TWK)

The Register is not the sort of thing that a PHB reads. I've never seen a MS hack in anything mainstream, but the I would be so happy if I was wrong about this.

Re: Dominant stack (Score: 1, Informative)

by Anonymous Coward on 2014-11-03 22:35 (#2TWM)

The words you are looking for is Best of Breed or Industry Standard. For CMS this is Drupal or Sharepoint or Confluence. Dominant stack means that your business uses multiple, usually all, products needed from one vendor. So a Microsoft dominant stack will mean than new servers will be Windows Server instead of Linux. Sharepoint instead of Drupal. Even if Drupal is better. Other dominant stacks include SAP, IBM, CA, GNU/Open Source.

Re: Dominant stack (Score: 1)

by zafiro17@pipedot.org on 2014-11-04 08:56 (#2TWP)

Didn't know that - thanks!

Re: Dominant stack (Score: 1, Funny)

by Anonymous Coward on 2014-11-04 09:29 (#2TWQ)

You learn something Gnu every day