Skip to main content

Hackers could attack 1 million websites in a content management system flaw

A vulnerability discovered in a popular content management system could leave nearly 1 million websites open to attack if left unpatched. The developers behind the content management system, Drupal, label the issue as “highly critical” because the vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.  

A content management system is the backbone of a website. It’s a database that stores and manage all digital input, including articles, images, photos, and more. Most content management system layouts provide a friendly interface for inserting content along with the necessary search engine optimization fields to get the resulting webpage noticed on Google, Yahoo, Bing, and so on. 

Drupal is just one of many content management systems to manage pages and media across a website. A few other systems include WordPress, Joomla, and Kentico while many websites simply rely on an in-house content management system for the highest level of customization and security.  

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team states. “The Security Team strongly recommends that the best solution is for sites to upgrade.” 

Finally, here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x 

End of Life 

Contact a D6LTS vendor 

Drupal 7.x 

Active 

Upgrade to Drupal 7.58 or
install this patch. 

Drupal 8.3.x 

Not supported 

Upgrade to Drupal 8.3.9 or
install this patch. 

Drupal 8.4.x 

Not supported 

Upgrade to Drupal 8.4.6 or
install this patch. 

Drupal 8.5.x 

Active 

Upgrade to Drupal 8.5.1 or
install this patch. 

 “Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases,” the team adds. “However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.” 

According to BuiltWith, 37 percent of the websites using a content management system rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. The stats also show that Drupal powers 928,443 sites while WordPress backs 19,883,677 websites, or 5.3 percent of the entire internet, as of April 2.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
These TP-Link mesh Wi-Fi systems are up to 40% off right now
The TP-Link Deco mesh Wi-Fi system on a table.

 

If you're looking at router deals because your current one doesn't reach every corner of your home, you may want to take advantage of Amazon's ongoing discounts of up to 40% for TP-Link mesh Wi-Fi systems. TP-Link is one of the most trusted brands in the internet connectivity space, so you know that you'll be getting top-quality devices when you go for any of its mesh Wi-Fi systems. You're going to have to be quick with your purchase though, as the potential savings from these offers may be gone as soon as tomorrow.

Read more
My most anticipated laptop of the year just got leaked
Foz Do Arelho, Portugal, February 27, 2020 - Laptop, Camera, Pad and phone on a bench at the seaside. Image on the laptop screen saying digital nomad.

The hype for Qualcomm's Snapdragon X Elite laptops is building. Having seen what these machines can do in person already, it's safe to say that these are the laptops I'm most excited about this year.

And today, a leak has revealed what some of the first devices with this much-anticipated chip will look like. Recently shared on X by the usually reliable Microsoft leaker WalkingCat are photos of a new product being referred to as the "Yoga Slim 7 14 Snapdragon Edition."

Read more
These 6 tweaks take MacBooks from great to nearly perfect
The MacBook Air on a white table.

I love getting a new MacBook. The slow-opening box, the fresh install of macOS, even the enchanting new Mac smell (which people have been rhapsodizing about for decades) -- it’s all part of the experience.

But you know what? MacBooks don't arrive perfect out of the box. There are a few things that I always have to adjust, regardless of how powerful the laptop is. From changing the default apps to unlocking a few hidden extras, here are the first six things to do with your new MacBook before putting it to work.
Unlock some trackpad tricks

Read more