back to article Drupalgeddon megaflaw raises questions over CMS bods' crisis mgmt

The security world has been shocked to its foundations following ominous warnings that millions of Drupal websites that didn't apply a critical patch within hours of its release earlier this month should be regarded as hopelessly compromised. The maintainers of the Drupal content management system warned users that “automated …

Anonymous Coward

That's what you get for not using

TYPO3

Drupal isn't a CMS; it was designed to run a forum, now you see why.

0
7
Silver badge

Re: That's what you get for not using

Like saying that Facebook wasn't intended to be a social network, it was built to give Zuckerberg fapping material via pictures of female students through hacked university private dormitory ID images.

5
1
Silver badge
Paris Hilton

Re: That's what you get for not using

The last time I checked TYPO3 had a big learning curve, drupal and other CMS scripts such as e107 are simple to setup and does what most people need.

Paris because obviously I'm dumb for not using TYPO3

1
1
Silver badge
Thumb Down

Re: That's what you get for not using

Yes, as if Typo 3 doesn't have its own set of problems.

All software has bugs.

3
2

Re: That's what you get for not using

There are bugs in all software, yes. But there are bugs, and there are egregious repeated examples of recklessness. Choose your software wisely.

0
0
Silver badge

Horrendous!

I don't really understand why it took until the 29th to advise users that they should probably restore from backups. We have backups of course but each day that goes by makes restoring from a backup almost exponentially less feasable.

People who are active in the community and spend all day in #drupal on IRC might stay on top of the aftermath of something like this. But I don't think most users of Drupal employ full-time babysitters for their CMS. Many Drupal site administrators are probably not the most technical either, it's a point-n-click application, so why bother employing a sysadmin when we can pay for Jonny Wordpress to have a morning of Drupal training and a book to not read.

At best Jonny Wordpress might subscribe to the security announcement feeds or mailing lists. Perhaps even these... https://www.drupal.org/security/rss.xml and https://www.drupal.org/security/psa/rss.xml

In which case he would have no idea of the total sh*tstorm that's rained down in the intervening 2 weeks.

SQL injection is horrendous and especially bad news where so much of a site's structure and config is stored in the database. And even worse when the bug has been present for the 3+ years since the release of Drupal 7.

I've always thought Drupal was a total dog of a CMS. Unfortunately though it's the easiest dog there is for fudging custom applications without too much actual development experience required.

Typically I see 200+ DB queries to load a page, 4k+ in some cases with a totally cold cache. And people wonder why their Drupal sites have such poor performance! The best way to use Drupal is to not use Drupal at all, and I'm not just being an arse by saying that, i mean just use it as a glorified static HTML generator and cache the result in Varnish/nginx.

IMO if you need 300 modules and blobs of code to get a thing to do what you want, you should probably be doing it yourself anyway.

Lol, I suppose the old witty IRC reply to questions/requests for help does apply in this case... Not happy? Ask for a refund*

* I'm not slating open source in the slightest so pls don't downvote. Anyone who works with open source projects will have seen someone reply with that at some stage.

3
1
Silver badge

Re: Horrendous!

It didn't take that long. The announcement was made on October 15, 2014 at 3:54pm EST and released to the community immediately. If you waited more than 7 hours then you stood a chance that your site might have been compromised.

Original announcement: https://www.drupal.org/node/2357241

What to do: https://www.drupal.org/node/2365547

Project DrupalGeddon: https://www.drupal.org/project/drupalgeddon

2
1
Silver badge

Re: Horrendous!

Yes it did take that long.

The original security advisory was posted on the 15th Oct. The next followup announcement informing you that you need to patch within 7 hours or restore from backup, came on the 29th Oct... https://www.drupal.org/PSA-2014-003

Is it just me that finds it insane that it takes 2 weeks to provide that followup advice through the official channels?

1
0

"..hard pill for some sites to follow..."

To follow? I would imagine the only following this pill caused anyone was to follow through.

Current Status - Brown

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017