back to article Drupal megaflaw raises questions over CMS bods' crisis mgmt

The security world has been shocked to its foundations following ominous warnings that millions of Drupal websites that didn't apply a critical patch within hours of its release earlier this month should be regarded as hopelessly compromised. The maintainers of the Drupal content management system warned users that “automated …

  1. Anonymous Coward
    Anonymous Coward

    That's what you get for not using

    TYPO3

    Drupal isn't a CMS; it was designed to run a forum, now you see why.

  2. macjules Silver badge

    Re: That's what you get for not using

    Like saying that Facebook wasn't intended to be a social network, it was built to give Zuckerberg fapping material via pictures of female students through hacked university private dormitory ID images.

  3. Captain Scarlet Silver badge
    Paris Hilton

    Re: That's what you get for not using

    The last time I checked TYPO3 had a big learning curve, drupal and other CMS scripts such as e107 are simple to setup and does what most people need.

    Paris because obviously I'm dumb for not using TYPO3

  4. Charlie Clark Silver badge
    Thumb Down

    Re: That's what you get for not using

    Yes, as if Typo 3 doesn't have its own set of problems.

    All software has bugs.

  5. elip

    Re: That's what you get for not using

    There are bugs in all software, yes. But there are bugs, and there are egregious repeated examples of recklessness. Choose your software wisely.

  6. batfastad

    Horrendous!

    I don't really understand why it took until the 29th to advise users that they should probably restore from backups. We have backups of course but each day that goes by makes restoring from a backup almost exponentially less feasable.

    People who are active in the community and spend all day in #drupal on IRC might stay on top of the aftermath of something like this. But I don't think most users of Drupal employ full-time babysitters for their CMS. Many Drupal site administrators are probably not the most technical either, it's a point-n-click application, so why bother employing a sysadmin when we can pay for Jonny Wordpress to have a morning of Drupal training and a book to not read.

    At best Jonny Wordpress might subscribe to the security announcement feeds or mailing lists. Perhaps even these... https://www.drupal.org/security/rss.xml and https://www.drupal.org/security/psa/rss.xml

    In which case he would have no idea of the total sh*tstorm that's rained down in the intervening 2 weeks.

    SQL injection is horrendous and especially bad news where so much of a site's structure and config is stored in the database. And even worse when the bug has been present for the 3+ years since the release of Drupal 7.

    I've always thought Drupal was a total dog of a CMS. Unfortunately though it's the easiest dog there is for fudging custom applications without too much actual development experience required.

    Typically I see 200+ DB queries to load a page, 4k+ in some cases with a totally cold cache. And people wonder why their Drupal sites have such poor performance! The best way to use Drupal is to not use Drupal at all, and I'm not just being an arse by saying that, i mean just use it as a glorified static HTML generator and cache the result in Varnish/nginx.

    IMO if you need 300 modules and blobs of code to get a thing to do what you want, you should probably be doing it yourself anyway.

    Lol, I suppose the old witty IRC reply to questions/requests for help does apply in this case... Not happy? Ask for a refund*

    * I'm not slating open source in the slightest so pls don't downvote. Anyone who works with open source projects will have seen someone reply with that at some stage.

  7. macjules Silver badge

    Re: Horrendous!

    It didn't take that long. The announcement was made on October 15, 2014 at 3:54pm EST and released to the community immediately. If you waited more than 7 hours then you stood a chance that your site might have been compromised.

    Original announcement: https://www.drupal.org/node/2357241

    What to do: https://www.drupal.org/node/2365547

    Project DrupalGeddon: https://www.drupal.org/project/drupalgeddon

  8. batfastad

    Re: Horrendous!

    Yes it did take that long.

    The original security advisory was posted on the 15th Oct. The next followup announcement informing you that you need to patch within 7 hours or restore from backup, came on the 29th Oct... https://www.drupal.org/PSA-2014-003

    Is it just me that finds it insane that it takes 2 weeks to provide that followup advice through the official channels?

  9. G Watty What?

    "..hard pill for some sites to follow..."

    To follow? I would imagine the only following this pill caused anyone was to follow through.

    Current Status - Brown

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018