Drupal Security: Not Shocking but Responsible

Over the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as "Drupageddon" broke and Drupal developer Bevan Rudge posted "Your Drupal website has a backdoor", I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told.

Drupal IconFor those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in SA-CORE-2014-005.  Since the dawn of time when databases were introduced to websites, SQL injection vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in Drupal 7.32 or later versions).

It took two weeks, but the media have finally begun to use this Drupal event to sell their headlines. A recent BBC article claims that "up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software". While there is the potential for every single Drupal site on this earth to be compromised, I tend to believe Bevan Rudge's assessment that the real world numbers are more likely in the "hundreds of thousands". But the author of the article also found someone to state that this vulnerability and the need to audit your system for additional vulnerabilities is "shocking".

Having managed various software applications and websites for two decades, I find myself annoyed and angry that once again I'm patching and auditing my websites with extreme effort. We've all seen these type of security exploits in a wide range of software applications from a wide range of software developers. Ten years ago I discovered an ecommerce website that I managed hacked due to a SQL injection exploit. What upset me the most wasn't that the site was hacked but that the application's developers were aware of the problem for months but failed to publicly disclose the information to users. While the software industry has gotten better to disclose vulnerabilities and provide fixes for their software there is a lot of improvement than can still be made.

Perhaps what is shocking for those that don't know Drupal's open source community isn't the security exploit itself, but observing Drupal's willingness to fully disclose and take responsible steps to fix what is broken. It has been my experience that too many software vendors attempt to "soften the blow" in their disclosures to please the marketing arm of their company no matter how serious the exploit. Drupal on the other hand often takes the opposite approach. As a CMS critic I don't think I could write stronger words of warning in an article than what Drupal's community already does.

Drupal Security Team:  A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. [October 15, 2014]

Bevan Rudge, Drupal.Geek.NZ: I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.

If your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised. [October 22, 2014]

Drupal Security Team: While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. [October 29, 1014]

I'm not a software developer, but I understand the news cycle for covering content management systems very well. Although this is a two week story for the Drupal community, we can expect to see more articles from authors and experts claiming their shock and dismay that such vulnerabilities in the Drupal software can exist. My spin is simply this, the media is only aware of this story because Drupal takes ownership and responsibility to disclose and address security issues in its own software. I personally find news of the vulnerability a non-story. The real story out there are the companies and software developers pointing fingers at Drupal and are not so forthcoming with their own security vulnerabilities. Those are the stories that need to be told.