Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By voipfc on
I saw this news at theregister.co.uk which is confirmed SpreadFirefox.com gets Hacked.
Could this have to do with some yet still present vulnerability in Drupal, or the PHP XML-RPC hack noted recently?
There is no indication on how it was accomplished.
Comments
Did not upgrade
Over at spreadfirefox.com, Asa Dotzler (asa) wrote in the comments that they failed to update their Drupal installation with the latest security patches.
According to
Mentioned in ZDNet:
XML-RPC
It wasn't a vulnerability in PHP. It was a vulnerability in the third-party XML-RPC library (written in PHP) that Drupal (also written in PHP) ships with. See the Drupal 4.6.2 release announcements for details.
Could it be time for a patchme module?
Could it be time for a patchme module in Drupal?
A module that sends signed emails to the site administrators with news on vulnerabilities found in Drupal, PHP or other Drupal components, that is enabled by default, if not mandatory.
The module could regularly retrieve updates from the Drupal website, that way no administrator could ever claim to be ignorant off it if they checked their admin emails regularly.
It could also send the updates to be applied to whatever source files are involved if applicable, or the bits of functionality to be disabled if fixes are not available yet.
No
Then 'we' are responsible for 'your' site. If you put a site up, you need to take responsibility for checking up on things.
There is no paid administrative staff here to dedicate to something like that.
-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Subscribe to newsletter
Sure I don't think that "we" should be responsible for anyone site, but subscribing to drupal newsletter or security list may be an "mandatory" step of maintaining a Drupal powered site ;)
yes well
Yes, well, were working on adding something to the install.txt that the newsletter is the vector for security related infomrmation and I need to get a page added to the handbook on it.
-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Trying it won't hurt
I am not implying that the module should update Drupal itself automatically, just notify the site's admin, either through email or by a notification after the admin's login into Drupal.
It is simply to minimize any excuses on the admin's part, if at they very least they check their email regularly.
I mean if after logging in the admin gets a wail from the installation saying "patch me, patch me", they are less likely to ignore it, aren't they?
If such things become critical there could even be the option of shutting the website or disabling some functionality, especially if it is a public facing server. It can be configurable by the admin.
Drupal is becoming a lot more than it was in the past, and if such things are not engineered soon into it it will be a problem in the future. It will wind up in the hand of less technically able people more and more in the future and soon not having such things built in will begin to hurt.
It is already a one-click install with the popular hosting control panels, and the users are not the kind you expect to sit down to patch their installations, unless their providers fix things automatically for them.
No matter how diligent and conscientious Drupal developers and contributors are, they will have to factor in computer users that are the equivalent of car drivers who don't know how to check the oil and check their tyre pressure.
The PHP XML-RPC warning barely registered with me (it is an empty site whose only traffic comes from me), it was only when I read the SpreadFirefox news that I went back to check with emails sent by my hosting provider about about some checks and fixes they were making on all their servers. Considering that it is a VPS I am theoretically fully responsible for, they probably didn't do it my sake, but had to anyway for the sake of all the other customers on the server and the network.
No matter what happens the Dummies are coming to Drupal
Consider the case of Microsoft, not matter how much they ask users to install security software and updates and all that, it would have been much easier all round if the security had been built into the very design of their systems from the start.