back to article Drupal flicks fix to nix OpenID admin account hijack hole

Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators. The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system. Drupal's security team say attackers can target unpatched systems if they hold an …

  1. batfastad

    Drupal is

    ... a pile of cr4p. Unfortunately it's the most flexible pile of cr4p there is in the open source CMS world, so I end up seeing it all over the place.

    I've seen 2,000 DB queries per request on some pages with bloat loads of modules/views/whatevers. Scalable.

    1. Awil Onmearse

      Re: Drupal is

      True, many shops go overboard with contrib and this leads to scalability problems, easily enough mitigated with appropriate use of query, object and page caches to relieve the DB.

      Compared to some nameless commercial offerings, with DB schemas over-normalised to within an inch of their miserable lives, core Drupal at least is pretty fleet-of-foot.

      1. batfastad

        Re: Drupal is

        In our testing stock Drupal (with APC and Drupal caching) couldn't match an old fully-loaded Joomla (without APC). When we added APC to Joomla it was game over.

        Please note that I don't like Joomla either, I think all CMSs are a pile of rubbish. But at one site I ended up with APC, Drupal caching, memcached and even then they could only get about 30 req/s.

        In the end, I found the best way to get performance out of Drupal was to not use Drupal. And run Varnish on top. Wooooosh! :)

        Don't even get me started on PHP code being stored in the database and eval()'ed out. That is insanity.

  2. Vincent Ballard
    WTF?

    Mitigated?

    Verisign, LiveJournal, or StackExchange? It's not hard to sign up for an account with at least two of those three, so that's hardly a mitigation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021