Welcome to WebmasterWorld Guest from 54.205.17.36

Forum Moderators: ergophobe

Message Too Old, No Replies

All Drupal Versions Susceptible to Code Execution, Credential Theft

     
2:32 am on Jan 7, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:14944
votes: 122


https://threatpost.com/all-drupal-versions-susceptible-to-code-execution-credential-theft-vulnerabilities/115802/ [threatpost.com]

All Drupal Versions Susceptible to Code Execution, Credential Theft Vulnerabilities

A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.
4:51 am on Jan 7, 2016 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8413
votes: 201


Strange, I did not get a security notice from the Drupal security team on this one
4:57 am on Jan 7, 2016 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8413
votes: 201


Reading that I would recommend the hacked module

[drupal.org...]

Basically, it verifies that your code base matches the code base on Drupal.org for Drupal and your modules. Obviously if you've hacked a module yourself, that will get flagged. But unless you've applied a known patch, you shouldn't be hacking anything in most cases (you should be plugging in and overriding). So hacked! should let you know if you've been compromised.

If you have a dev -> test -> live workflow, you can update your dev version, run Hacked! and verify the codebase, then do a git push to test and live.

I'm not sure what they mean by "manually" download updates. Most people are going to use drush or git to pull updates. Is that manual? It should be the same source.
11:35 am on Jan 7, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 27, 2003
posts:3332
votes: 140


That hacked module looks excellent (great way to determine if someone has tinkered with modules and that updates will break things)!

I'm not sure what they mean by "manually" download updates.


I believe it's a distinction between using admin/reports/updates/update and "manually" grabbing the latest files and replacing them. The issue is with the update system being tricked into downloading from an untrustworthy source.
9:34 pm on Jan 7, 2016 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8413
votes: 201


I guess when I wondered what "manual" meant, I wondered if that included drush or not. I'm assuming not, but could be that if you fool the admin/reports/updates/update page. However, update via drush long predates the admin/reports/updates/update system.

Personally, I think using admin/reports/updates/update on Drupal is a recipe for disaster anyway regardless of security issues? I think it was meant to make Drupal behave more like Wordpress, but since Drupal is nothing like Wordpress, it won't behave like it (IMO)
9:40 pm on Jan 7, 2016 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8413
votes: 201


PS Andy - this is also a reason to have a site under version control. If you do your updates via git, you can simply type

git status

at any time and see if you've been hacked. The Achilles heel there, which bit many of us for Drupaggedon was the fact that the exploit involved hacking your scripts, uploading files to the public upload section (like where a file would go if a user uploaded a photo) and then changed the actual script back since their backdoor was in place. So hacked! and git did no good.