back to article Patch Drupal now: Yet another critical website bug found – a sequel to 'Drupalgeddon2'

After scrambling to patch a critical vulnerability late last month, Drupal is at it again. The open source content management project has issued an unscheduled security update to augment its previous patch for Drupalgeddon2. There was also a cross-site scripting bug advisory in mid-April. Rage Running Drupal? You need to …

  1. Pascal Monett Silver badge
    Facepalm

    You canna win, can ye ?

    Patch and users grumble, don't patch and users grumble.

    Come on, people, they're doing something and doing it in a timely manner.

    If you don't like patching, go back to Windows XP, you'll be fine there.

  2. arctic_haze

    Bevare of unattended content management systems

    Joomla has a similar history of vulnerabilities. It seems Drupal is equally dangerous. So if one needs to use it, it should at least be very vigorously patched. However, external subcontractors creating content on such tools often leave it without any patching framework whatsoever. Thst's at least is what the company I work with experienced.

    1. wolfetone Silver badge

      Re: Bevare of unattended content management systems

      "What's that? You want your website patched? Oh well that falls outside of our contract agreement, but would you like to sign up to our security service? We'll patch it for you for £X a month."

      Is one method a cowboy outfit I used to work for conducted its business.

      Other than that, the web is awash with sites that are static but built on CMS systems that neither the builder nor the owner ever bother looking at again.

  3. ZenCoder
    Gimp

    Why I stopped supporting Drupal.

    https://www.theregister.co.uk/2017/04/13/drupal_gor_protest/

    I find their apparent obsession about each other's private sex lives inappropriately invasive, just plain creepy and weird.

    1. AlexGreyhead
      Pint

      Re: Why I stopped supporting Drupal.

      "Come for the software, stay for the ... people"?

      But seriously, that argument's a bit on the silly side isn't it? That's like swearing-off Windoze because it powers the computer systems of Evil Corp.

      (Full disclosure: I earn a crust as a Drupal developer and have seen some awful examples of sites built with it, but I've also seen awful Wordpress sites, awful Joomla sites, and awful home-grown sites).

      /Al - beer, because Drupal has driven me to drink.

  4. caffeine addict

    I've worked with many frameworks and various (.*) management systems in my twenty-ish years in this field, and nothing has filled me with dread like working on a Drupal system.

    As far as I can see, the only people who like Drupal are the people who build sites in it, then keep getting called back as contractors because no-one can work out what the hell they've done or how to maintain it themselves. It's the only system I've met so far that has made me quit a job or refuse a job offer. And I have next to no standards. ;)

    1. whatsyourShtoile

      You hit the nail on the head there buddy. A classic case of good money after bad.

      Once you go Drupal, you might as well bend yourself over a table.

    2. Nick Ryan Silver badge

      I have the exact same terror of SharePoint. That and very high psychiatrist bills.

      I am less wary of Drupal because at least I can see the source and see what is going on. It may not be beatifully designed or implemented core code (8 is better than 7) but at least it is visibile. SharePoint, on the other hand, is totally opaque, almost indescribably inefficient and there are still daft bugs in there that were present in releases from 15 years ago. Expecting, let alone trusting, SharePoint to do anything like what a sane person would expect a "CMS" * to do is asking for trouble - basically just give up and do everything the "SharePoint way" regardless of how insane it is, fighting SharePoint stupid is a pointless endeavour.

      * I know it's not strictly a CMS, it's often used as one though...

  5. Anonymous Coward
    Anonymous Coward

    Patching away, again. Though each time something on some site invariably breaks. Which is why I am extremely happy we have web application firewalls that are meticulously maintained. I’s frankly amazing how many blocked requests there were the last month, checking for the latest Drupal vulnerabilities... One Drupal site is still on 7.54. The thing that broke when updating to 7.58 was the same thing that broke when updating to 7.54, but the web developer that “fixed” it didn’t document and forgot what he did.

    By the way, maybe it’s just here but it seems that tickets logged by development teams for infrastructure team are invariably high priority. The other way around : well, let’s just say that I have an open ticket that will celebrate its third birthday next month...

  6. whatsyourShtoile
    Mushroom

    rude and apathetic

    I briefly had the misfortune of working for a Drupal shop, on the team responsible for some name-brand restaurant booking service. The Drupal developers specifically are the rudest most apathetic people I have ever worked with. They don't like people asking questions, they don't like fixing bugs, they don't like testers at all. And no matter how shit their code was, they always expected me to write tests that would pass when they committed it on the last day of every sprint.

    They all thought that caching was like magic pixie dust in its ability to make crap websites run well.

    And they were charging in the region of 5 or 6 hundred a day essentially to make bad website templates.

    I hate Drupal.

    1. Nick Ryan Silver badge

      Re: rude and apathetic

      I like Drupal, on the other hand I completely agree with your experience of the Drupal developers. They have improved a little, but that's an extremely low bar to start from. Some seem to run it like an academic project operated for their own technical amusement and self-congratulatory esoteric thoughts compared to something that is meant to be used in the real world. If they didn't have this attitude, it would be considerably more successful than it is.

      1. The Alpha Klutz

        Re: rude and apathetic

        In fairness the rendering engine for Drupal is more complicated than a turbofan jet engine. Does it really need to be that way? Ask a Drupal dev and they will tell you it's not complicated enough.

  7. Anonymous Coward
    Anonymous Coward

    "I would rather spend my time on creating new stuff than patching Drupal core sites."

    Then use a static site generator like jekyll, hugo or hundreds of others

    If you need dynamic content, make a JSON backend which your page interacts with via Javascript. This gets rid about of 90% of framework vulnerabilities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like