All Drupal Versions Susceptible to Code Execution, Credential Theft

Forum Moderators: open

Message Too Old, No Replies

All Drupal Versions Susceptible to Code Execution, Credential Theft

bill

2:32 am on Jan 7, 2016 (gmt 0)

https://threatpost.com/all-drupal-versions-susceptible-to-code-execution-credential-theft-vulnerabilities/115802/ [threatpost.com]

All Drupal Versions Susceptible to Code Execution, Credential Theft Vulnerabilities

A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.

ergophobe

4:51 am on Jan 7, 2016 (gmt 0)

Strange, I did not get a security notice from the Drupal security team on this one

ergophobe

4:57 am on Jan 7, 2016 (gmt 0)

Reading that I would recommend the hacked module

[drupal.org...]

Basically, it verifies that your code base matches the code base on Drupal.org for Drupal and your modules. Obviously if you've hacked a module yourself, that will get flagged. But unless you've applied a known patch, you shouldn't be hacking anything in most cases (you should be plugging in and overriding). So hacked! should let you know if you've been compromised.

If you have a dev -> test -> live workflow, you can update your dev version, run Hacked! and verify the codebase, then do a git push to test and live.

I'm not sure what they mean by "manually" download updates. Most people are going to use drush or git to pull updates. Is that manual? It should be the same source.

Andy Langton

11:35 am on Jan 7, 2016 (gmt 0)

That hacked module looks excellent (great way to determine if someone has tinkered with modules and that updates will break things)!

I'm not sure what they mean by "manually" download updates.

I believe it's a distinction between using admin/reports/updates/update and "manually" grabbing the latest files and replacing them. The issue is with the update system being tricked into downloading from an untrustworthy source.

ergophobe

9:34 pm on Jan 7, 2016 (gmt 0)

I guess when I wondered what "manual" meant, I wondered if that included drush or not. I'm assuming not, but could be that if you fool the admin/reports/updates/update page. However, update via drush long predates the admin/reports/updates/update system.

Personally, I think using admin/reports/updates/update on Drupal is a recipe for disaster anyway regardless of security issues? I think it was meant to make Drupal behave more like Wordpress, but since Drupal is nothing like Wordpress, it won't behave like it (IMO)

ergophobe

9:40 pm on Jan 7, 2016 (gmt 0)

PS Andy - this is also a reason to have a site under version control. If you do your updates via git, you can simply type

git status

at any time and see if you've been hacked. The Achilles heel there, which bit many of us for Drupaggedon was the fact that the exploit involved hacking your scripts, uploading files to the public upload section (like where a file would go if a user uploaded a photo) and then changed the actual script back since their backdoor was in place. So hacked! and git did no good.