Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By TechMosaic on
I was very pleased with my hosting company, Myriad Networks (www.myriadnetwork.com), up until they decided that Drupal 4.7.x was too dangerous to support. They gave me an ultimatum to upgrade to ver 5, after which they said they will shut me down for security reasons.
Considering I have a few installs with them as a hosting reseller, and some multi-site installs, this is a real pain to be put on a deadline for upgrading.
Any one out there having this situation? I am going to switch to a new host so I do not get treated with ultimatums - but before I do, I want to make sure that this is unusual behavior. If lots of hosts are doing it, then I would stay with Myriad, because aside from this, they have been great.
Please share what your hosting company is doing....
Thanks
Comments
Well seeing as 4.7 is
Well seeing as 4.7 is continuing to get security patches I see no reason to call it insecure. It is very secure in my opinion. Sounds like perhaps your host found some article somewhere and is running with it a bit too quickly. Google "drupal dangerous" and you'll get a fistful of articles. However most of them seem to be talking about how our CMS can be detrimental to startups without the technical expertise to handle it.
How does your host know you are using Drupal? And wouldn't it be a violation of their service agreement with you to cancel your service unless in your contract it was specifically stated that you could not use software that they specify? It sounds a little fishy. Besides, if your site was unsafe (I don't think it is) what problem is that of theirs? If your site is the victim of vandalism it isn't their problem so why should they care?
Just remember there are
Just remember there are always 2 sides to every story.
1. This customer (along with many others) was contacted on 2/14 advising of critical security vulnerabilities in the version of Drupal they were running.
2. This customer was again notified on 2/16 asking for a response.
3. The customer was again notified on 2/17 asking for a response.
4. On 2/17 the customer notified us he would be unable to perform the upgrades for another 10 days. This was/is unacceptable to us as this customer is using one of our shared hosting platforms with many other customers on the same server.
Bottom line is, this is nothing personal. Bring the version of Drupal up to the latest known secure and all will be well.
Tom
That being said, Your
That being said, Your customer seems confused as he/she thinks they must upgrade to Drupal 5.1. Drupal 4.7.5 was patched and redistributed as 4.7.6. I'd agree updating to 4.7.6 is being a good shared hosting customer. It is the customers responsibility to secure for both the customer and his/her neighbors on a shared host.
I agree. I just spent a few
I agree. I just spent a few moments emailing with TomP regarding this customer and I think somebody should explain to the customer just how simple this upgrade will be. Applying the upgrade to 4.7.6 should take no more than ten to fifteen minutes per site adding to that maybe the time it takes to backup if you have a lot of images or large files.
It will be interesting to
It will be interesting to know exactly what are these vulnerabilities that put other shared hosting customers at risk. Looking at the security updates rolled out after 4.7, I can't think of anything earthshaking, but I don't run a hosting company, so I wouldn't know.
----
Previously user Ramdak.
Thank you for being involved directly
You must represent http://www.myriadnetwork.com/, and I think it is great that you pay such close attention to what goes on with Drupal.
- Robert Douglass
-----
Lullabot | My Drupal book | My Digg RSS feed
Right-o Robert. TomP is
Right-o Robert.
TomP is Thomas Petersen, President of Myriad.
And JPetersen if Jeff Petersen, CIO.
It looks like Drupal is getting its fair share of attention from Myriad.
Myriad hosting issues - the other side of the other side
First off, the ultimatum I received was requiring me to go to 5.1, not 4.7.6
One of these sites uses the banners module, which is not available in 5.1 So I have a customer who will need some major reprogramming for me to maintain their current level of features...not something I am able to do on short notice.
Another of my installs with myriad is a complex multi-site install with some critical survey/polling data that is being actively used by someone in the middle of their Phd candidacy. I cannot risk that site being messed up either. - and as we know from many other postings, there are outstanding issues that make upgrading to 5.1 on a multisite install more than just a click of a button.
Even my one test site did not successfully upgrade with the one click method - the blocks fail to display.
See issue - http://drupal.org/node/119044
So having a hosting company require me to go to 5.1 in less than a week is Very unreasonable.
That said - It should be noted that aside from this issue, I did point out that Myriad was a very good host otherwise....that is the reason for the posting. If others were also being forced into 5.1, then I would know I was the one being unreasonable...but that does not seem to be the case from these postings.
Check your email; we've
Check your email; we've contacted you regarding this. We only recommended that you upgrade to 5.1 as that's the "one-click" upgrade that Fantastico offers. You're more than welcome to upgrade to the latest stable version, be it 4.7.x or 5.x, so long as it's not vulnerable.
Sorry for any misunderstandings.
I would STRONGLY urge you to
I would STRONGLY urge you to stay away from Fantastico's one-click upgrade schema. Though I have not tested it with Drupal 5.0 it has in the past caused many problems with Drupal security.
DVkid - "If your site is the
Why should we care about a malicious person having access to one of our servers (this is really the question you asked, regardless of the wording being different)? With all due respect this is an extremely naive way of thinking. Why is it assumed that someone potentially having the ability to remotely execute commands on a server would stop at defacing someone's website (or even deface the website in the first place)? Let's consider some other risks:
#1. A spammer gains access to the victim's account, and the server winds up getting listed in RBLs, denying email service to other customers.
#2. A seriously malicious person gains access to the server, and
A. Uses an 0day exploit to root the box, to do anything from removing data for all customers, to hijacking DNS, and an infinite number of other possibilities,
B. Causes an interruption of service via a local Denial of Service Attack on one or more services, or the OS itself,
C. Sets up a phishing site that poses as a legitimate banking/PayPal/other website to steal the banking credentials of unsuspecting website visitors. Thanks, but we, as do our customers, prefer to maintain access to our servers, and not the FBI or Secret Service,
D. Sets up a malicious website that exploits a client side vulnerability (such as any of a number of browser exploits in IE, FireFox, etc) for installing malware, botnet utilities, spamming tools, and so forth (are you really unaware of the security breaches that took place back in September 2006 with many other hosting providers?),
E. An infinite number of other possibilities can be listed here that could be used to damage the very customer we are trying to protect, our other customers, and other people on the Internet.
In any event, should the customer's website just become the victim of vandalism, the account would ultimately be immediately suspended while we investigate the extent of the damage, and after the method of access was determined to be Drupal, access to those directories would be denied anyway until we heard back from the customer with an affirmative that they would be immediately taking the necessary steps to upgrade.
The bottom line is this:
A. There is a choice to have us, the webhosting provider, set a deadline for upgrading, or suffer the consequences of denied access to the files/directories with the vulnerable code, or, should the account get hacked,
B. have the entire account suspended while a post-intrusion investigation takes place, which will ultimately lead to access being denied to the files/directories that were the cause of the instrusion anyway.
You can have all the security in place on your servers you'd like, but, as has been proven time and time again all across the world on all Operating Systems, all it takes is 1 person's account to be compromised to result in catastrophic consequences - reagardless of the security measures currently in place. Finally, it takes a lot of time to research even "just" a vandalized website.
This, my friend, is why we should, and will always care.
Mr. Peterson
Mr. Petersen (Tom or Jeff)
I understand that upon the knowledge of a possible security vulnerable (though there was no major security with any recent version of 4.7). However, I have never heard of a company placing an ultimatum on their customers. Furthermore, I would wonder if you have any right to do so given the agreement you are in with your customers. I know not the details of your customer contracts, but I do that I have some twenty Drupal copies running on various servers and none of the hosting companies know or care. Additionally, if you do truly care about letting your users utilize Drupal in a secure environment I would suggest you remove Drupal from the Fantastico install and instead urge your users to utilize the Drupal 5 easy install. (http://drupal.org/forum/fantastico-de-luxe) That post speaks at length about issues caused by Fantastico within Drupal. Whatever minor security cracks may be present in 4.7.5 are certainly nothing compared to those created by Fantastico.
Subscribe to the security announcement list
I disagree, SA-2007-005 is not minor IMO.
Please subscribe to the security announcement list. Do so by visiting http://drupal.org/security, while logged in. Simply click subscribe on the block to the left. Alternatively, visit My account tab edit, tab my newsletters.
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
DVkid - what I am about to
DVkid - what I am about to say is probably going to cause you not to like me very much. It's a good thing I'm not here to make friends :-)
The fact that you are a Drupal developer, and yet do not grasp the concept of remote command execution, but instead downplaying it as a just a threat of a vandalized website, concerns me greatly for the reasons I outlined in my previous post.
That said, I find it irrelevant that you have not heard of a hosting company requiring a customer to remove the potential backdoors from their accounts. We are not other hosting companies.
I am not here to make personal attacks, nor is that my intent if construed that way. I feel you are being a bit defensive, which is why I say this. My job is to help run a successful webhosting company, and eradicate any possible threats that would prevent me from doing so. It is not our fault this vulnerability exists in some versions of Drupal, and I am not here to point fingers or play the blame game. Our reasoning for our actions has been made clear, take it as you will.
Furthermore, I would wonder
Our Terms of Service (TOS) and Acceptable Use Policy (AUP) are both available online for your reading pleasure.
I actually think you should list these comapies who don't care about security. It would be of benefit to those customers that do.
Generally speaking I find your points of view and posts to be very naive and narrow minded. Regardless, do know that we are Myriad Network take security very seriously. Regardless of the program - Drupal, PHPBB whatever, we will require our users to upgrade when we are notified of a security vulerability. That quite frankly, is in line with basic commerical besst practices and any company who doesn't do the same is lacking imo. If you don't care about security please do use those other companies :)
Also, of note - I neither wrote the poor code that caused this issue, nor the exploit which took advantage of that poorly written code. I'm simply trying to protect my customers. Hopefully programmers will start taking security more seriously and we won't have to revisit these issues again in the near future.
Tom
Tom
Tom, you should apologize to your customer for having imposed on him to upgrade his web sites to 5.1. threatening him with shutting down his web sites if he doesn't. Drupal 5 just came out and most contributed modules most web sites depend on are not stable now running with Drupal 5 or haven't been ported yet. Actually I think you should not only apologize for the stress you have caused your customer because of your lack of knowledge about Drupal, but give him some compensation.
Caroline
Who am I | Where are we
11 heavens
...!!?
No, actually I think he's in the right here and we should be proud there are hosting professionals who help make the Internet more secure through responsible practices. It sounds like the original poster misunderstood the notification and decided to rant in our forums and the host company has shared their side. Their side seems highly responsible.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Hi Caroline:Quite possibly
Hi Caroline:
Quite possibly you missed my final statement:
"Also, of note - I neither wrote the poor code that caused this issue, nor the exploit which took advantage of that poorly written code. I'm simply trying to protect my customers. " Since it looks like you want to blame someone for this issue how about pointing your fingers at those who wrote the code.....or the person who wrote the exploit?
Thank you for contributing your opinion (attacking me) but I/we have done nothing wrong here. If anything there was a miscommunication issue which has long since been rectified. I wonder how you would feel if *your* website was taken offline because your hosting company failed to act on a critial security issue. I'm quite sure you would be giving heat to the hosting company for failing to act. Sorry Caroline, but you cannot have it both ways.
Steven: thank you for bringing some good old fashion common sense and real world knowledge to this situation. Too many times I think folks think we (the hosting company) are simply choosing to pick on our customers when nothing could be further from the truth. The fact of that matter is our customers run hundreds (thousands?) of different scripts and programs - we cannot realistically be expected to be experts at all of them. We are simply doing the absolute level best we can.
Tom
--
Fact is your customers don't need to upgrade to Drupal 5. They can stick with 4.7. You were wrong. You made a mistake.
Your customer says :
Is he lying ?
Caroline
Who am I | Where are we
11 heavens
@Caroline, It was a
@Caroline,
It was a misunderstanding. The customer installed via Fantastico, and the upgrade option in Fantastico was 5.x; hence, we suggested he go to 5.x to continue using Fantastico to stay upgraded.
Wow
I think both parties need to apologize. Frankly this is ridiculous, after reading this post I don't like either ones side. This has become a silly feud and should stop.
While it is important to keep security inline, it's also good to keep customer relationships. TechM is also not to blame for the security vulnerabilities of Drupal. He should upgrade to the latest 4.7.x, to keep up on securities. And Tom... Well, you should just say sorry man. Your not being very understanding about this, and it seems that you're taking this personally which you shouldn't. I mean, why attack Carolyn? She's just trying to put in her 2 cents.
I'm not trying to blame you though because TechM SHOULD upgrade to the latest 4.7.x and quite whining about it.
drudging up a month old
drudging up a month old topic, is "silly" as well ; )
agreed
Thread's locked.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
...
I will point out that there were differing opinions expressed in that thread and one of the outcomes of the linked thread was the Fantastico had greater awareness of Drupal security advisory method and took steps to improve their processes.
All that said, a host that paid as much attention to the security vulnerabilities of the packages they host and provided proactive notifications to customers who may have missed those notifications is one to be applauded. Compromised servers affect not only the customer and the host company, they affect all those that the attackers chooses to attack.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Then what should I do - I run modules that are not on 5.1?
So you think it is good business to force my sites to shut down, because I am running drupal 4.7.x and using modules like Banners, which is not available to 5.1?
Enough of this ranting - I am not trying to flame myriad....my very first posting said I liked them other than this issue.
What I wanted to know was, is anyone else having this aggressive upgrading issue?
I obviously need to find a less aggressive, more understanding host.
Any suggestions for a reseller host would be most welcome.
For those who like the agressive approach, I can recommend Myriad - they have been very good on all other measures.
um
There are alternative view points suggested in the thread.
I find your continuing insistence that on being unclear interesting. Current SECURE 4.7 stable is 4.7.6. If you are running 4.7.4 then you are TWO SECURITY ANNOUNCEMENTS behind. To continue using the the 4.7.x in your posts seems disingenuous when the latest secure release is 4.7.6 and that was announced Jan 29. 4.7.5 was announced even earlier.
To post that they want to shut down 4.7.x seems in-accurate when they've clearly said in comments above the latest version of the 4.7 series was acceptable. Upgrading to the latest 4.7.6 should be very easy and painless.
Is it possible that there was some mis-understandings all around? Sure but you know what, a series of emails would probably cleared this up.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Really hate to beat a dead
Really hate to beat a dead horse here, but as pointed out in this thread, and in your ticket, we're not forcing you to upgrade to 5.x. You have the option to upgrade to the latest 4.7.x series. As long as the software you're running is the latest and greatest, we have absolutely no problem.
Again, the only reason we suggested you upgrade to 5.x is simply because that's the version Fantastico offers via the "one-click" upgrade process. We are aggressive when it comes to security; and any right minded host truly should be.
TechMosaic: I'm getting
TechMosaic: I'm getting tired of you bending the facts to suit your reality. Either accept the way things are and do this quick and painless upgrade or move on.
Tom
Myriad Clearly insisted on 5.1 - not 4.7.6
No use being fair minded anymore.
Here is the exact text of Myriads Email to me.
Tell me how this is anything but a requirement that I move to 5.x!!
> Hi,
>
> A new version of Drupal has been released which addresses several critical security issues.
>
> baliawel / 4.7.3 (5.1)
> bjrosen / 4.7.4 (5.1)
> jwallace / 4.7.3 (5.1)
>
> You'll need to have those 3 users update their Drupal installs from 4.7.x to the latest version, 5.1.
>
> Please notify us when this has been completed. Thanks.
Jeff Petersen
Myriad Network Support
support@myriadnetwork.com
------------------->
Make $50 or more for every customer you refer!
Sign up at: http://myriadnetwork.com/affiliate
<-------------------
NEW! Monthly contests and giveaways!
http://myriadnetwork.com/forum
Again, the only reason we
Again, the only reason we suggested you upgrade to 5.x is simply because that's the version Fantastico offers via the "one-click" upgrade process. We are aggressive when it comes to security; and any right minded host truly should be.
You could have asked us if the latest version in the 4.7.x series was safe to upgrade to; instead, you took it here to a public discussion forum. As stated numerous times here, and numerous times in the ticket conversations, you may upgrade to 4.7.x.
I believe TechMosaic's point
I believe TechMosaic's point in that post is that you did not suggest that he move to 5.1, you told him to. Had you presented him with two options (a. upgrade to 5.1, b. upgrade to 4.7.6) then this thread would not exist, three less user accounts on Drupal.org would be needed, and lot of time would not have been spent. It is my belief that the root of the problem is that Myriad presented the information they were given by Fantastico (5.1 one-click upgrade) to be the best and only solution to the security vulnerability. Had they presented the Fantastico solution as one possible suggestion and encouraged the user to consult the software's website for more information this problem would have been easily resolved with a simple upgrade to 4.7.6.
TechMosaic: I hope that you understand that the upgrade to 4.7.6 is very simple and should take you no more than a few moments to complete for your sites. It is recommended that you first upgrade all sites to 4.7.5 (available here: http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.5.tar.gz). Follow that up by upgrading to 4.7.6 via the link on the homepage and you'll be all fixed up.
Had they presented the
You're right, DvKid. While Myriad is to be commended for their proactive approach to security for the sake of their shared hosting customers, the way it seems to have been done (at least from reading these posts) could have been better.
Holding a gun to your customer's head is not the way to endear them to you. I know I moved from an otherwise good host where I had a shared reseller hosting account to VPS with another host when one of their self-righteous forum admins banned me from posting because someone else converted a thread started by me about a genuine problem (my server had been hacked because of a cpanel exploit they failed to fix in time) into a bashing session. There was no way I could be held responsible for that other poster, yet this man thought it fit to ban me; he wanted me to beg to get posting privileges again. Of course, I didn't and they lost a customer for life. I was completely sold on them till that point.
----
Previously user Ramdak.
Holding a gun to your
As a webhosting provider, these types of overly dramatic, far fetched statments are something we do hear from time to time, and the fact is that the reality of the situation is not something you currently understand.
To DVkid, the Drupal dev that, by his own statements in this thread, would gladly offer you, no, the entire Internet, shell access on one of his servers (a server that allows him to pay rent, put food in his mouth, etc), my final words to you are this:
The information that there was a security issue with the versions of Drupal was presented, and he was told to upgrade:
"You'll need to have those 3 users update their Drupal installs from 4.7.x to the latest version, 5.1."
In the meantime, our server is a sitting duck because we allowed this customer time to perform the upgrade. 2 days go by, no response. The email is reissued. Another day goes by. Day 3, server is a sitting duck because of poor programming practices in Drupal, and it's time to escalate our actions so as to prevent the customer, ourselves, other customers, and other folks on the Internet from being attacked.
Yes, we told the customer to upgrade to 5.1. As if it's not already obvious enough that you do not have any semblance of a clue as to what it takes to maintain a shared webhosting server, I am going to inform you of something you probably were previously not aware of. When you install a script via Fantastico, such as this customer did in all 3 cases, it often spits out a post-install message stating not to move things around too much, because Fantastico maintains important information about the installation (such as where the script was installed, what files are associated with the install, etc). It's no surprise the upgrade to 5.1 via Fantastico caused issues for the customer, as, by their own admission, had done post install customizations. For the record, I don't know what the exact cause of the botched Fantastico upgrade to 5.1 was for this customer.
That said, we presented the information about the upgrade, specifically to include why it was necessary. As we do not do all the thinking for our customers, the customer was free to check the Drupal website themselves and note that the fixes had been ported to the 4.x branch, and continued to discuss the matter with us about simply upgrading his 4.x release. In hindsight, should we have done this first? Sure, it would have been a good idea. However, we did not, because we noticed the install was done via Fantastico, which did not have the option to upgrade to anything but 5.1.
If you cannot understand why anyone would allow a server to sit around on the Internet that knowingly has unpatched vulnerabilities, and when several exploits had just been publically released (nevermind that fact that the exploits, as with most cases, had probably been around for a very long time before the bug went public), then I submit that your attitude is in line with why there are so many hacked servers on the Internet today used for spam and DDoS.
I'll note that you were quick to shift the attention of security issues with Drupal to Fantastico in your previous post, yet at the same time don't see why anyone should care about a malicious person having access to a server. I find your words to be highly contradictory.
I will comment no more on the subject, other than to say that we make no apologies for our actions. Despite the fact that you are not in our shoes, feel free to continue bashing us DVkid. At the end of the day, we know the right thing was done.
In the meantime, our server
You say that if you don't get a response in 3 days from a customer you think that your methods have to escalate ? Three days LOL ? What happens if a customer goes up North for a long week-end ?
Caroline
Who am I | Where are we
11 heavens
It is the responsibility of
It is the responsibility of the admin to make sure that they are secure. Drupal 4.7.6 was released long before this notification from the host. In the end, the diligence myriad has shown, benefits Drupal too. (IMHO) The more secure instances of Drupal running the better off Drupal's reputation is.
Admins who don't update their software when a security situation is found patched, and now known to the public are just plain lazy & help give Drupal an insecure reputation. If you want to run insecure software, do it on your own server and not a shared host where the host is responsible for "ALL" the customers on a server and not just one.
3 days is plenty of time (and keep in mind 4.7.6 was out longer than 3 days) to have upgraded from 4.7.3 + 4 to 4.7.6 at which point this admin would have been secure and could have informed his host that he was secure and running the latest version of software provided by Drupal.
Subscribe to the security newsletter so that you as an admin known when a security update is released. Update ASAP, and you won't run into these situations. Keep in mind that after a security breach is patched and the vulnerability is known, its pretty easy to find old Drupal installs and then attempt to wreck them with the released vulnerability.
You should not only run secure software for yourself, but for the others on the same server.
The way I see it , this admin was warned multiple times. Myriad could have just pulled the plug if they wanted to. They did not. a grace period only lasts so long. regardless of how much whinning is done afterwards.
The sadest situation here is that all of this energy gets wasted in a thread like this, over a small bit of confusion. The fact that an email stated 5.1 and not 4.7.6. Errors happen, were all human. With the amount of energy that went into posting this situation and making it public, it could have been worked out by just updating and informing the host of the update.
Attacking the host and constantly picking apart what they've tried to do. Which is essentially have the admin run a "secure" version of drupal seems to me to be a little over the top.
Matter of fact, Myriad hosting may have just gained a customer in me. The fact that they actively pay attention to whats being run on their servers and make sure that software is updated is a great sense of security for me. I no longer have to worry that the site sitting next to mine is running an unpatched OSS Product
Agreed
The very first thing I wondered when I read the first post was whether or not this is a virtual hosting situation. If so, the hosting provider's responsibility to other customers (most immediately to those on the same box) supersedes the rights of the individual customer to have things his way.
I have a dedicated box.
I would be very impressed if my host knew enough about any of my scripts to let me know about specific security vulnerabilities.
http://profitlabinc.com
Impressed with Myriad's Stance on this.
I second that.
Security (patching/upgrading) is extra work that many people just don't bother with, but should. I'd like to know that my hosts kept on top of security issues like that too.
One of my hosts sent out something a few months ago about not allowing YABB anymore, but it didn't apply to me, so I didn't pay much attention. And my buddy was one or two patches behind on vBulletin, and he got hacked and vandalized. He doesn't bother with backups either \:^o
Luckily, his host does backups for him.
Quint
Matter of fact, Myriad
I have to third this. I'm currently using a dedicated VPS (Security issues on other VPSs don't affect mine outside of performance), but for a shared hosting situation, Myriad is now one of my considerations if I require a shared host in the future for how they handled this.