Sign in / up

back to article Critical remote code execution holes reported in Drupal modules

Drupal is calling on its users to patch a dangerous remote code execution hole that can let attackers easily hijack sites. The content management system has some 15 million downloads, compared to WordPress on 140 million and Joomla with 30 million, but is used on big ticket and business sites including nine percent of the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge

    "The Coder module [..] does not need to be enabled in order to be exploitable"

    That is certainly a worst-case scenario : just having the module on the server can get you hosed. The high profile of this issue just makes things worse. I'm thinking of porting my company's web site to a CMS like Drupal - now I'll be waiting for the correction before going further.

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "The Coder module [..] does not need to be enabled in order to be exploitable"

      Having had some Drupal sites in my herd until recently, I'd recommend Wordpress if you're going to go the CMS route. It's a higher-priority target for hackers due to it's popularity; but the response time for holes to be fixed is pretty impressive too.

      WP's main selling point is the ease of updating - press the button and a few seconds later you're done. Drupal (& others) you have to schedule downtime and take them to bits to update. Not only is it a pain in the arse; but it also means that patching anything takes a lot longer, so you're vulnerable for longer.

      WP doesn't get a lot of love here on El Reg, but I've only ever had one site hacked and that was an inside job.

      0 1 Reply
      1. Aodhhan
        Reply Icon
        Joke

        Re: "The Coder module [..] does not need to be enabled in order to be exploitable"

        You must be joking. In the past year, Wordpress had vulnerabilities which were around for more than 90 days. This isn't impressive... especially when PoC's are available within days of the notification.

        Wordpress is also popular for hacking due to the number of tools built specifically to interrogate the application for vulnerabilities.

        What also makes it dangerous is the number of add-ons available and who builds them; which increases the number of attack vectors to go for.

        The modules are much easier to reverse engineer than the main application itself. It's also the addons which typically have the long patch times. These are also much easier to create attack modules for... which allow just about anyone to successfully attack.

        Dangerous claim to make if you're not well versed in these matters.

        1 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: "The Coder module [..] does not need to be enabled in order to be exploitable"

          @Aodhhan - All fair points, but ones which apply to any CMS to my knowledge. WP's popularity does make it a huge target; but it's popularity also means more eyes on and more people with an investment in it being secure, so it's not all downside.

          You use the fewest plugins possible, and the ones you do use should be regularly maintained; but again that's universal...same applies to Drupal modules and whatever they call add-ons for Joomla (it's been a while) etc.

          But it all depends upon use. If you want to protect important info from state-level players, you'd be insane to use any CMS. If you want an installation where a relatively low-tech owner can maintain it and change bits, then WP is ideal; and ease of applying whatever updates are available are a big plus there. You can even tell the site to keep itself updated in the event of exceptionally clueless/lazy owners, and you can't do that with Drupal.

          0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "The Coder module [..] does not need to be enabled in order to be exploitable"

      Why?

      CMSes were a mistake. They're insecure, slow, bloated, a nightmare to maintain, and the bloody content authors/editors don't even use them - designers and developers still have to do all the work.

      The hype about purely static site generators is an overreaction IMHO, but basically the right idea.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like