back to article Friendly reminder to Drupal admins: Secure your sh!t before latest RCE-holes get you

Just days after a remote code execution flaw in open-source web publishing software Drupal was made public, researchers have already spotted live exploits in the wild – reinforcing the need for admins to patch and update their sites immediately. As The Register reported last week: "A successful exploit of the vulnerability …

  1. macjules

    ".. not allow GET/PUT/PATCH/POST requests to web services resources"

    Or you could switch from your buggy Drupal CMS (motto: come for the code, stay for the constant bloody security updates) to a Python CMS such as Django.

    1. Tom Chiverton 1

      Re: ".. not allow GET/PUT/PATCH/POST requests to web services resources"

      Because $platform never needs updates...

    2. J27

      Re: ".. not allow GET/PUT/PATCH/POST requests to web services resources"

      Python isn't magically better than PHP, all stock CMS systems seem to have these sorts of issues. You need to keep them up to date or you're toast.

      One of the fun parts of designing web applications is that I get hundreds of automated reports every day of exceptions, Invalides URLs and malformed requests so I see attempted attacks targetting every well known CMS system. This affects all of them, you run stock code, you have to protect yourself against these quick-moving stock exploits.

    3. LDS Silver badge

      Django and Drupal are two different beasts

      Django is a framework to build web applications, and to get something usable you'll have to write your own code. Drupal is a true CMS, and you can start using it straight out an install if you don't need specific customizations.

      That also means there's much more code in a stock install of Drupal - and thereby the attack surface is larger. No surprise here we have the usual lack of input control passed along technologies like REST were you can pass almost everything you like because the protocol itself has little checks.

      With Django, a lot depends on the skills of the developers building on it - its attack surface could be smaller, but what about the code devs add? It's just less in the radar of security experts.

  2. Spasticus Autisticus

    just to say

    'Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.'

    Version 7.x - 'Supported until November 2021'

    1. macjules

      Re: just to say

      Note the "Versions of Drupal 8" bit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022