October 12, 2018 By David Strom 2 min read

Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations.

A Brief History of Drupal Security Flaws

The first vulnerability was detected in March, according to Drupal, and had the more widespread implications, since everyone running Drupal since v6 could be at risk — potentially affecting a million users. The oldest of these versions is no longer officially supported, yet it is still popular and can be found in production use.

Researchers have also found active automated exploit attempts in the wild, including a new attack method known as Drupalgeddon 2, which places crypto-mining software on unpatched Drupal sites. This means threat actors are scanning IP address ranges to look for vulnerable websites.

The original Drupalgeddon, an SQL-injection vulnerability, was found back in 2014, according to Linux Journal. Drupalgeddon 2 is somewhat similar to its predecessor in that the flaw has to do with another code injection technique involving inputs to web forms that aren’t properly checked, Check Point Research reported. As a result, anyone can navigate to a specific URL on a Drupal-powered website and take it over. There is no authentication required, and once you are in, you have complete control over the site.

Patches for Drupalgeddon 2 were issued for two versions: Drupal 8.3.4 and Drupal 7.56. There have been no known attacks.

How to Protect Your Website

Drupal compiled some recommendations for responding to a site breach that are worth reviewing not just for those tips specific to their software, but for the general implications of keeping your site current and secure.

For example, you should make a forensic copy of your site before applying any changes in case a threat actor has already entered your site. You should also decide whether to roll back or rebuild your servers and determine whom you should notify in case of a breach.

It’s important to note that just patching your server won’t be sufficient in the face of an exploit such as Drupalgeddon. An attacker could have already entered your system and taken complete control over your website. Examining user behavior can also help to identify improper access to site controls.

Drupal’s general suggestions are useful for any website, no matter what code it is running. These include:

  • Using multifactor authentication (MFA) to protect your logins. This should be common practice by now, but it bears repeating.
  • Using stronger admin passwords. This should also go without saying, but many users are still not employing secure password management.
  • Regularly auditing all your user accounts and ensuring that unfamiliar accounts or admin roles haven’t been created by a threat actor.
  • Not using an account named “admin” as your administrator’s account. This creates an obvious target.

What Drupal Is Doing to Bolster Security

Drupal has two security projects worth examining. The first is an extension called Paranoia that can block misused Hypertext Preprocessor (PHP) pages and prevent privilege escalation techniques. The second is an older project called Security Review that examines your PHP code for common programming mistakes.

Cybersecurity is an ongoing, iterative process, so conducting code reviews and backing up data should be parts of a continuous audit of your website security. Above all else, security should be a central and ubiquitous pillar of your team’s general operations structure.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today