Before the year ends, another big security scandal arises. From Drupal’s Public Security Announcement (PSA) page, “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”
How Many Affected?
Now we might wonder, how many websites built using opensource CMS are based on the Drupal platform? Based on Builtwith.com, it is said to be that Drupal takes 4.32% of the entire opensource CMS market share (see here, click on “The Entire Internet”). That is amounting to around 735,217 recognized websites built on Drupal. Among it’s rival CMS platforms, WordPress and Joomla, Drupal takes the smallest market share.
Focusing on the top 10 thousand websites, there are only 337 websites built using Drupal. Quite a small number come to think if we were to pit it against the entire website landscape. But 337 is still a lot for a determined hacker who wishes to try out to compromise at least 1 website.
According to the articles of BBC and ZDNet, the number of websites using Drupal could be around 12 million, and majority (if not all) may need to be patched and updated. Drupal has given their own press release stating that not all 12 million could be vulnerable.At the very least, a million are affected. But to make matters worse, though you have patched or updated your platform, the backdoor may not be removed and you wouldn’t have any trace about what data was ex-filtrated.
What Is Our Take?
What is then our take on this “shocking” news? Well, the issue is not really about how Drupal coded their CMS platform. We all know that there is really no 100% software out there, and each software used is likely to be vulnerable to some exploit eventually. Drupal is a great CMS and the developers and community have contributed a lot to create a great CMS. What we would like to give focus on is that of how website owners and web developers can prevent such attacks from happening.
If you were a web development company, how would you have responded?
It was really great to hear Acquia being able to protect their clients even though they were vulnerable. See here on how they did it. They have protected their clients through a database patch and HTTP filter approach. This is one very good example of a responsible CMS hosting company. They do understand that your website is one of the most powerful marketing tool your company will ever have. They understand that your website is the face of your company in the Internet, in which if something bad were to happen to it, you could solicit a negative reputation. So, as much budget is given in building your website, they provide at least the same amount of budget, time and effort in securing it.
A bit similar to how Acquia made their “shield”, we at Pandora Security Labs take it to the next level. The Pandora WebRanger solution is made to monitor HTTP request sent through your CMS and the patterns of the requests are matched to attack signatures. Upon detecting a possible attack, the WebRanger™ is able to block attack traffic and avoid continuous malicious requests. This in return, allows your web administrator or developer to patch the vulnerable version of Drupal to a stable and secure version.
You can check out Pandora’s WebRanger solution, aimed to protect your websites and web applications.
- Vulnerability Description – https://www.drupal.org/PSA-2014-003
- More Info: https://www.ostraining.com/blog/drupal/8-things-drupal-security/
- What To Do? – https://www.drupal.org/node/2365547
- What To Do? – https://www.csoonline.com/article/2841456/application-security/what-you-need-to-know-about-the-drupal-vulnerability-cve-2014-3704.html
- News From BBC – https://www.bbc.com/news/technology-29846539
- PCWorld – https://www.pcworld.com/article/2841372/drupal-if-you-werent-quick-to-patch-assume-your-site-was-hacked.html
- ZDNet – https://www.zdnet.com/article/drupal-warns-unless-you-patched-within-seven-hours-youre-hacked/
- Eweek Article About Acquia – https://www.eweek.com/security/acquia-shields-users-of-cloud-version-of-drupal-cms.html