Hackers could attack 1 million websites in a content management system flaw

A vulnerability discovered in a popular content management system could leave nearly 1 million websites open to attack if left unpatched. The developers behind the content management system, Drupal, label the issue as “highly critical” because the vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.  

A content management system is the backbone of a website. It’s a database that stores and manage all digital input, including articles, images, photos, and more. Most content management system layouts provide a friendly interface for inserting content along with the necessary search engine optimization fields to get the resulting webpage noticed on Google, Yahoo, Bing, and so on. 

Drupal is just one of many content management systems to manage pages and media across a website. A few other systems include WordPress, Joomla, and Kentico while many websites simply rely on an in-house content management system for the highest level of customization and security.  

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team states. “The Security Team strongly recommends that the best solution is for sites to upgrade.” 

Finally, here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x 

End of Life 

Contact a D6LTS vendor 

Drupal 7.x 

Active 

Upgrade to Drupal 7.58 or
install this patch. 

Drupal 8.3.x 

Not supported 

Upgrade to Drupal 8.3.9 or
install this patch. 

Drupal 8.4.x 

Not supported 

Upgrade to Drupal 8.4.6 or
install this patch. 

Drupal 8.5.x 

Active 

Upgrade to Drupal 8.5.1 or
install this patch. 

 “Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases,” the team adds. “However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.” 

According to BuiltWith, 37 percent of the websites using a content management system rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. The stats also show that Drupal powers 928,443 sites while WordPress backs 19,883,677 websites, or 5.3 percent of the entire internet, as of April 2.

Emerging Tech

A.I.-generated text is supercharging fake news. This is how we fight back

A new A.I. tool is reportedly able to spot passages of text written by algorithm. Here's why similar systems might prove essential in a world of fake news created by smart machines.
Gaming

How do Nintendo Switch, Xbox One X compare to each other? We find out

The Nintendo Switch is innovative enough to stand apart from traditional consoles, but could it become your primary gaming system? How does the Switch stack up against the Xbox One?
Social Media

Your Google+ public content will remain viewable on the web, if you want it to

Google's failed social network — Google+ — will soon be wiped from the internet, but there's a team of volunteers working right now to save its public content for the Internet Archive.
Mobile

Think iPhones can’t get viruses? Our expert explains why it could happen

If your iPhone has been acting strangely, then you may be concerned about the possibility it is infected with a virus or some malware. We take a look at just how likely that is and explain why iOS is considered relatively safe.
Computing

Confused about RSS? Don't be. Here's what it is and how to use it

What is an RSS feed, anyway? This traditional method of following online news is still plenty useful. Let's take a look at what RSS means, and what advantages it has in today's busy world.
Computing

Here are the best affordable monitors for your budget desktop

Looking for the best budget monitors? These monitors are affordable, but still provide the features you need for gaming, work, home or other plans! Take a look at the displays and your wallet will thank you.
Product Review

The Lenovo Legion Y740 brings RTX 2080 graphics power for under $2,500

Coming with the Intel Core i7-8750H processor, Nvidia GeForce RTX 2080 Max-Q graphics, 16GB of RAM, and a 256GB PCIe NVMe SSD, the Legion Y740 one big beast. But priced at under $2,500 how does Lenovo’s Legion stand up against the crowd?
Computing

This limited-time Dell deal cuts $330 off the price of the XPS 15

Dell is currently running a limited-time sale that is cutting the pricing on the XPS 15 down by $330, but only through Thursday, March 21, and with the use of a special coupon code. 
Mobile

Google hit with another fine by the EU, this time for $1.7 billion

Google has been fined for the third time by the EU, this time for breaching antitrust laws by requiring third-party websites using its search function to prioritize its ads over competitors.
Computing

If you have $5,200, Apple has 256GB of RAM for your iMac Pro

Professionals looking to run intensive applications will be able to push their work a bit further with Apple's latest iMac Pro, which holds 256GB of DD4 ECC RAM for $5,200. Here's why it costs so much to upgrade your iMac Pro to the top.
Computing

Don’t be fooled! Study exposes most popular phishing email subject lines

Phishing emails are on the rise and a new study out by the cybersecurity company Barracuda has exposed some of the most common phishing email subject lines used to exploit businesses. 
Deals

From Air to Pro, here are the best MacBook deals for March 2019

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Computing

Oculus shows off the Rift S, plans to phase out its original VR headset

Oculus plans to phase out its flagship Rift VR headset for its newly created Rift S. The Rift S made its debut this week at the 2019 Game Developers Conference and is expected to be released in spring 2019.
Computing

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.