Skip to main content

Hackers could attack 1 million websites in a content management system flaw

A vulnerability discovered in a popular content management system could leave nearly 1 million websites open to attack if left unpatched. The developers behind the content management system, Drupal, label the issue as “highly critical” because the vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.  

A content management system is the backbone of a website. It’s a database that stores and manage all digital input, including articles, images, photos, and more. Most content management system layouts provide a friendly interface for inserting content along with the necessary search engine optimization fields to get the resulting webpage noticed on Google, Yahoo, Bing, and so on. 

Recommended Videos

Drupal is just one of many content management systems to manage pages and media across a website. A few other systems include WordPress, Joomla, and Kentico while many websites simply rely on an in-house content management system for the highest level of customization and security.  

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team states. “The Security Team strongly recommends that the best solution is for sites to upgrade.” 

Finally, here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x 

End of Life 

Contact a D6LTS vendor 

Drupal 7.x 

Active 

Upgrade to Drupal 7.58 or
install this patch. 

Drupal 8.3.x 

Not supported 

Upgrade to Drupal 8.3.9 or
install this patch. 

Drupal 8.4.x 

Not supported 

Upgrade to Drupal 8.4.6 or
install this patch. 

Drupal 8.5.x 

Active 

Upgrade to Drupal 8.5.1 or
install this patch. 

 “Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases,” the team adds. “However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.” 

According to BuiltWith, 37 percent of the websites using a content management system rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. The stats also show that Drupal powers 928,443 sites while WordPress backs 19,883,677 websites, or 5.3 percent of the entire internet, as of April 2.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The robot takeover comes another step closer — at Amazon
An Amazon robot working inside one of the company's warehouses.

Amazon is close to having more robots operating inside its warehouses than humans after the e-commerce giant announced this week that it now has more than a million robots working at its facilities around the world.

Over the years, Amazon has spent billions of dollars on the development and deployment of warehouse-based robots, which handle an array of tasks once performed by human workers.

Read more
This Lenovo ThinkPad laptop is over $1,400 off — hurry while stocks last!
The Lenovo ThinkPad T14 Gen 5 Intel laptop on a white background.

Now's an excellent time to take advantage of laptop deals from Lenovo, which has slashed the prices of a wide range of devices for its Black Friday in July sale. Lenovo's ThinkPad laptops are up to 45% off, and here's one of the most interesting offers available with such a discount — the Lenovo ThinkPad T14 Gen 5 at $1,440 off its estimated value of $3,199, so you'll only have to pay $1,759. That's an excellent price for this fantastic productivity tool, but you're going to have to push forward with your purchase as soon as possible because stocks may run out at any moment.

BUY NOW

Read more
Early Prime Day deal: Samsung’s 27-inch Odyssey G3 at its annual low price
Samsung Odyssey G3 gaming monitor on desk with keyboard and headset.

If you're ready to upgrade your monitor, this Samsung deal over at Amazon just might be your best bet. The 27-inch version of Samsung's Odyssey G3 is $130 right now, a full $100 off its regular $230 price and its lowest price of the year. It's a part of early Prime Day deals and a good sampling of what we can expect for the shopping holiday, which officially lands on July 8th. Tap the button below to see it for yourself or keep reading to see why we like this deal and why this should be your next monitor.

Buy Now

Read more