
Security vulnerability in #Drupal contrib module puts 120000 sites at risk - velmu
http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk
======
kyled
Looking at the source it took me < 5 minutes to find the actual vuln =/.
Drupal saying "Just migrate away" is not the correct way to handle this
disclosure. Some people can't switch immediately. A patch should be made
available, and the module should be depreciated. Does Drupal have a way to
update modules easily? If not, there should be...

~~~
deanclatworthy
Same. Took hardly any time to see the SQL injection. I wonder how many more of
these there are on older installations using modules that are no longer
actively maintained (Hint: probably lots. Code quality has come a long way
since the early days of Drupal.)

~~~
phil21
As someone who used to host many Drupal installs - all of them.

The joke around the ops/security team was Drupal is a remote shell with a
bonus CMS attached to it.

~~~
ohthehugemanate
When was it, what versions of Drupal? 8 ended up as a massive rewrite to
replace all the key parts with Symfony components.

------
orf
> Drupal is known for it's large number of community contributed modules that
> add functionality to the bare bones core system.

No, it's known for its ridiculous number of security issues and sloppy code :/

~~~
ksenzee
Drupal is easy to criticize, but its handling of security issues and its code
quality aren't the two places I'd start. They're actually two of the strengths
of the project.

~~~
jacquesm
You're missing a /s there.

~~~
mschuster91
I've seen worse, way worse, than Drupal Core.

That of course does not include Drupal modules - there is, similar to the
Wordpress ecosystem, the really bad stuff.

~~~
jacquesm
But that's the whole problem right there. Such a plug-in architecture with
every Tom, Dick & Jane writing modules that are loosely vetted and deployed in
the 100's of thousands is broken by design. There is no way a small review
team focused on security will be able to audit what 1000's of dedicated lesser
gods produce.

I can see the advantage of it, you just focus on the core and let the world
take care of its own problems but you end up with nearly every site being
critically dependent on a couple of obscure modules that will not get the
attention they need until it is much too late. This coupled with Drupals nasty
habit of obsoleting everything every couple of year (I hear they are changing
now) and you're set up for disaster.

So even if Drupal Core is not all that bad it is _never_ just Drupal Core.

~~~
Gaelan
To get a module marked as "covered by the Drupal security team" it _is_
required to go through a community code review.

~~~
lightlyused
Which is pretty easy to pass, you just have to follow the coding standards.

~~~
Gaelan
And not have any (glaring) security flaws.

------
janwillemb
Title is: Security vulnerability in _unmaintained_ Drupal contrib module puts
120000 sites at risk

(Emphasis mine)

