
Up to 12M websites may have been compromised via Drupal vulnerability - aburan28
http://www.bbc.com/news/technology-29846539
======
aleem
My sympathies are with the Drupal community, it may never fully recover from a
crisis of this magnitude despite whatever.

At times like this, I really wish there were more best practices to mitigate
against these type of vulnerabilities.

One idea is using the remote-execution vulnerability itself to remotely patch
the servers by passing the antidote as the payload. I am not sure if this
would be legal.

The other is something what CloudFlare already does but doing it at the
hosting-provider or ISP layer. It need not be as proactive as CloudFlare which
can inspect HTTP requests for known exploits and blocks them. It could be
something as simple as running scanners and routinely informing customers that
their websites are vulnerable. Or better still, temporarily disabling the
account or putting it into read-only mode, thereby forcing users to take
action.

~~~
geerlingguy
> _At times like this, I really wish there were more best practices to
> mitigate against these type of vulnerabilities._

There are many best practices:

    
    
      - Use version control.
      - Have remote backups for the past day, week, month, etc.
      - Apply security patches immediately (and have test infrastructure so you can make sure they don't break anything).
      - Be able to rebuild a server from scratch w/ backups (configuration management really helps here).
      - Subscribe to security mailing lists/RSS feeds/Twitter accounts.
    

This vulnerability is pretty bad, of course, but there have been _many_ like
it before, and there will be many like it in years to come.

If nothing else, use this situation to prepare for the worst on your own site;
how would you respond if your site was hacked, your database in an unknown
state, and your codebase potentially backdoored?

~~~
eropple
Configuration management is an enormous pain for systems like Drupal that are
essentially built ad-hoc, though. It's not something that's practically baked
into something like Chef unless you're willing to spend a ton--a _ton_ \--of
time baking your assumptions into code. And that (along with stuff like a test
infrastructure) assume the capability of even doing it; Bob's Bait Shop does
not have the technical staff necessary to act according to best practices but
definitely needs a website. ("Use SquareSpace" is rarely an answer, though
depending on the project it can be; anything remotely clever is going to need
to go outside of the usual SaaS providers and that's why there are so many
rickety Drupal sites out there. I used to write them, I know.)

Once again, software is harder than it needs to be. Gary Bernhardt has been
going into this in depth on Twitter lately, and I agree with him more and more
as I pay more attention to the shitshow around us.

~~~
noir_lord
> Configuration management is an enormous pain for systems like Drupal

As someone who worked on Drupal for a couple of year in the days of 5/6 this
was my biggest problem.

I don't think things have improved much.

~~~
geerlingguy
Things have improved greatly! With Drupal 7, there are two main solutions, the
configuration management module, and features. With Drupal 8 (likely coming
out within the next year, currently in beta) YAML-based exportable
configuration management is baked into core and will be much more accessible
for custom development and contributed modules.

~~~
eropple
Sure. Now they need to grapple with the fundamental differences between
install-and-tweak and design-through-code to actually make this meaningful in
a modern (Chef/Puppet/Docker) environment. I won't be holding my breath.

~~~
geerlingguy
A modern, well-architected site build works wonderfully with the
aforementioned tools. In fact, I have a demonstration VM (Vagrant + Ansible)
that you can use to bootstrap a Drupal site with a given install
profile/configuration in a few minutes using a Drush makefile:
[https://github.com/geerlingguy/drupal-dev-
vm](https://github.com/geerlingguy/drupal-dev-vm)

Sadly, most Drupal developers and development shops either don't know about or
don't care to take the time to build sites in this manner (instead of
schlepping databases and file dumps all over the place, export everything to
code)... but if you do, team-based/large project Drupal development becomes so
much more sane.

~~~
eropple
I'm aware of drush and its makefiles. In the overwhelming case, that's
antithetical to how working on Drupal actually is, because of the amount of
exploration and tweaking involved. It's not a sufficiently simple product such
that you can just eyeball a makefile and go.

------
arkitaip
One of the nice things about major releases of Wordpress is that it will auto
patch minor releases. I believe this is a reasonable approach for most open
source CMS even if it might break some functionality. You can also fairly
easily add auto update for plugins and themes by modifying wp-config.php [1].

I suggest that themes/plugins with 100% compatibility ratings should be auto
patched too. Auto patching themes can be problematic because updates override
changes you've made to the theme files. So my other suggestion would be to
automatically create a child theme for every installed theme so that devs can
easily update the parent theme and keep changes made to it.

[1]
[http://codex.wordpress.org/Configuring_Automatic_Background_...](http://codex.wordpress.org/Configuring_Automatic_Background_Updates)

~~~
nkuttler
Of course, giving your php webapp the permission to rewrite it's core files is
a brilliant and secure idea!

~~~
ams6110
Most operating systems do it. It's not an intractable problem.

~~~
hahainternet
Said operating systems typically require you to use an account that is
inaccessible to almost all automated processes. This would not be the case,
the two are not analogous.

~~~
Retric
Signed binary's can get you most of the way there. It's still a trade-off and
for most users waiting to apply a security patch is a larger danger.

------
UnoriginalGuy
Why does Drupal use string manipulation to generate SQL statements instead of
bind parameters? It is 2014, hasn't this been best practice since at least the
late 1990s? Wouldn't all security audits, including automated ones, pick this
up?

And before someone makes a "joke" about PHP, they're using the PDO framework
which supports bindParam(). Seems like woful incompetence in the Drupal
codebase to me.

Exploit in detail:
[https://www.sektioneins.de/en/advisories/advisory-012014-dru...](https://www.sektioneins.de/en/advisories/advisory-012014-drupal-
pre-auth-sql-injection-vulnerability.html)

~~~
jiggy2011
The query in question is using an IN clause which takes a tuple of values.

I don't think bindParam will allow you to bind an array into a tuple , the
only way to pass the tuple is by forming it as a string and adding that to the
query string.

~~~
michh
It's awful how poorly IN-clauses are supported (in lots of places, not just
PHP) considering how often they're used and how useful they are. I mean basic
stuff like being able to use them securely or making programmers write their
own checks to prevent SQL-errors on empty lists.

~~~
opendais
No, it doesn't. PHP can handle it fine and we've undergone multiple attacks
and security audits [both daily automated ones and professionals by hand]. :/

The problem here was a mistake someone made, not a fundamental support problem
with the language.

This is precisely why people mock PHP developers. :/ So many don't even
understand how the language f'n works.

~~~
michh
I never said it was a problem with the language. I said it was poorly
supported in a lot of platforms _including_ PHP and I stand by that.

It has nothing to do with passing security audits or withstanding attacks,
there's not a security flauw in the way PHP handles this because PHP or
specifically the PDO framework relies on the user to implement this themself.
There obviously can't be a security flaw in something which does not exist.

A quick Google search suggests it is not at all obvious to many how to do a
parametrised query with an IN-clause using PDO. The highest ranking answer is
this SO post:
[http://stackoverflow.com/a/1586650](http://stackoverflow.com/a/1586650)

Having to iterate the array yourself adding the right amount of placeholders
and binding individual values is secure but a lot of boilerplate. Escaping
values in PHP and concatting them in the old fashioned way ought to be safe
but everyone switched to parametrised queries for a reason: in practice it's
often fucked up which leads to security vulnerabilities. The last one, the
find_in_set trick, is a clever kludge but a kludge nonetheless.

People shouldn't need to roll their own way to do this because that's where
unnecessary mistakes get made.

~~~
opendais
> A quick Google search suggests it is not at all obvious to many how to do a
> parametrised query with an IN-clause using PDO.

Alot of programmers can't do FizzBuzz either. If you can't figure out how to
iterate and count an array on your own...

I'm sorry but I have 0 sympathy.

~~~
michh
Just as I have no sympathy for programmers forgetting to always call
mysql_real_escape_string and setting their encodings right in the old MySQL
driver, it's not difficult to get right, but tons of people didn't and it made
the web a worse place for everyone.

Plus, they might be able to figure out how to iterate and count an array but
they might also figure out how to use implode instead which is less code and
programmers tend to be lazy. And suddenly they've opened their app up to SQL
injection because they forgot or are unaware they now need to do escaping
despite using prepared statements.

And since their app might contain _my_ data, I care about this and not just
think "those idiots brought it upon themselves".

------
daviddede
And that was at the same time that everyone was worried about POODLE and the
media was going crazy over it.

Somehow this vulnerability went over the radar.

What is interesting is that based on our own data, we started noticing attacks
around 8 hours after it was disclosed and we shared some of the payloads being
used here:

[http://blog.sucuri.net/2014/10/drupal-sql-injection-
attempts...](http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-
the-wild.html)

------
buro9
I cannot think of how many charities this will affect. Almost without
exception, every small or medium UK charity I know uses Drupal in some way for
their work. These are usually customised for a specific project, and some of
these will have donation facilities built-in.

The worrying thing as always is that few people upgrade these instances once
they are launched and operational.

~~~
bigiain
I'm wondering how many Australian government departments - who're all
encouraged to use a government supported Drupal platform - are dealing with
this properly: [https://agov.com.au/](https://agov.com.au/)

------
troymc
In the WordPress world, there are many "managed" WordPress hosting providers
(including wordpress.com) which will apply WordPress core updates
automatically.

In the Drupal world, there are some similar managed Drupal hosting providers
(e.g. Drupal Gardens), but they're much less common. I wonder why.

~~~
geerlingguy
There are a few, such as Pantheon[1], Acquia Cloud[2], Platform.sh[3]. All
three of the above providers did add some level of protection immediately
following the security announcement, and they (and some other providers)
helped ensure sites were updated to 7.32 as soon as possible.

I have to link back to my earlier comment about the key takeaway here[4]—not
just for Drupal sites, but for anyone who operates any site on any server. You
can't afford to let your site sit unmaintained if you value the information
within; and if you build sites for other people, you have to convey the
importance of that to your customers... 'With great power comes great
responsibility' and all that jazz.

Your site is either currently broken, or will be someday; it's not about
making 100% secure code and servers (you strive for that, of course); it's
about your response once something happens (e.g. a security patch is
released).

[1] [https://www.getpantheon.com/](https://www.getpantheon.com/)

[2] [https://www.acquia.com/products-services/acquia-
cloud](https://www.acquia.com/products-services/acquia-cloud)

[3] [https://platform.sh/](https://platform.sh/)

[4]
[https://news.ycombinator.com/item?id=8529385](https://news.ycombinator.com/item?id=8529385)

------
jareds
I have started to use Drupal to create a small site for a non-profit. I
disabled the site a couple of days after this vulnerability. Is there a way to
determine if I have been compromised or since I have put about 30 minutes of
work into it so far am I better off rebuilding from scratch?

~~~
dubcanada
Go into your Drupal updates and see if the core says 7.32 if it does you are
good. If it doesn't just update it using drush and carry on.

~~~
objclxt
No: that's not good advice. The OP said "I disabled the site a couple of days
after this vulnerability", but we know that there were attacks in the wild
within hours of disclosure. If it's only 30 minutes work you might as well
start over.

------
nakovet
I've updated my site the minute I got the e-mail, though I am not sure if it
was fast enough, because there is no way to know if there is any backdoors,
besides installing a fresh version and checking the differences.

~~~
macNchz
I've cleaned up a bunch of compromised servers, and I've never encountered—at
least with exploited wordpress installs—an attacker sophisticated enough to
change the timestamps on the files containing back doors, so, while I always
just overwrote everything from a backup, finding all of the backdoored files
right away would amount to something like:

    
    
        $ find /var/www/blah.com/htdocs/ -iname "*.php" -mtime -1 -print

------
simonmales
Do any of the honeypots have examples of the backdoors in action?

~~~
daviddede
We have a few samples of the SQL injection attempts here:

[http://blog.sucuri.net/2014/10/drupal-sql-injection-
attempts...](http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-
the-wild.html)

In there you can see the type of backdoors being added (generally fake users
with admin-level privileges).

------
chx
Perhaps read [http://cmsreport.com/articles/drupal-security-not-
shocking-b...](http://cmsreport.com/articles/drupal-security-not-shocking-but-
responsible-11234) as well.

~~~
scolson
I read that article last night and was wondering if someone here was going to
point out how the 12m figure is made up.

Were there compromised sites? Sure, but I would be surprised if it were more
than an order of magnitude less than what the bbc reported. That is still a
lot of sites, but not a monumental cluster-fsck that the aftermath is being
made out to be.

------
aaron695
I have seen 0 evidence of any mass compromise.

In fact I've seen 0 evidence of even one site being compromised.

Any links with substance?

------
notastartup
Why is Drupal so popular?

~~~
las_cases
I believe it is because at one point Drupal was a pretty solid foundation for
a lot of project types and was greatly flexible.

Right now WordPress is way more popular though.

~~~
butterfi
Wordpress and Drupal have similar features, but typically WP is thought to be
more of a blogging platform while Drupal has a platform for not just blogging,
but online community, e-commerce, etc.

~~~
ninjaplease
Yeah not really that much of a distinction these days. People have built just
about anything on WordPress. Community & ecommerce are both covered pretty
solidly by the plugin ecosystem.

~~~
dubcanada
You can build a skyscraper using a hammer, but you probably shouldn't. It's
the exact same argument with WordPress and Drupal. Drupal is vastly superior
for most dynamic website tasks then WordPress is. Views + content types
provide that.

~~~
icelancer
Worked on both as a dev and decided to use WP for our business that sells mid-
six figures annually through our shopping cart, which is just modified
WooCommerce. I don't agree that Drupal is vastly superior at all; maintenance
and sustainment is far worse with the Drupal project.

~~~
r0s
I've had the same experience and the opposite opinion.

~~~
icelancer
I guess that's kind of the point. It all works just fine if you're a decent
developer and know what to outsource and what to avoid. The
platform/framework/language wars are a useless waste of time.

