Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Drupal Version Update Has Vulnerabilities

DZone's Guide to

Drupal Version Update Has Vulnerabilities

Drupal is a leading CMS in a sea of successful content management systems. However, its update process provides an in for hackers to take of advantage of, leaving it vulnerable to a number of serious malware and bugs. Read on to learn more.

· Web Dev Zone
Free Resource

Start coding today to experience the powerful engine that drives data application’s development, brought to you in partnership with Qlik.

Content management systems or CMSs, over the last decade, acquired an impressive number of users. Nowadays, they are widely used among web designers and developers for building feature-rich and intuitive websites. Needless to say, this immense popularity has resulted in a vast range of robust and developer-friendly CMSs.  In this assortment of CMSs, some managed to establish themselves as the leaders, and Drupal is one them!

This robust and developer-friendly tool struck the right notes with technocrats, industry leaders, and internet users, alike. It is typically used to create complex, advanced, and versatile sites.  However, proving the old saying "every coin has a flip side" true, Drupal too has a darker side!

Challenge # 1 - During the update process, it gets exposed to a number of serious malware and bugs. This further provides an easy access for the hackers to get into the system and corrupt installations through update packages. In some worst case scenarios, they might even hack into the servers and badly affect the site.

Drupal

Though Drupal does not enjoy much popularity as compared to its counterparts like WordPress and Joomla, it is fairly useful for some serious content management businesses. Moreover, it is also one of the most used platforms to build enterprise-ready, huge-scale, and customizable websites.

Challenge # 2 - An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality.

Image title

The update process downloads a plaintext version of an XML file at http://updates.drupal.org/release-history/drupal/7.x and checks to see if it is the latest version. This XML document points to a backdoored version of Drupal.

Image title

  • The current security update (named on purpose "7.41 Backdoored")

  • The security update is required and a download link button

  • The URL of the malicious update that will be downloaded

Challenge # 3 - Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

Like a lot of other modern CMS, Drupal gets automatically updated from its backend admin panel with the click of a button.  However, Drupal has already marked version 7 and 8 as updated, even when the automated patching process fails, owing to a number of dead internet links.

Moreover, pointing to other vulnerabilities, it is a surprise that the update process is made over HTTP instead of HTTPS. Needless to say, this further provides easy access for hacker attacks over public networks.

All of this may sound intimidating, given it is a top CMS, and since it is widely used to develop complex, advanced, and versatile sites, e.g. to be used as a platform for an online store. In fact, if these flaws are not corrected, chances are that webmasters may switch to more secure platforms such as Joomla or WordPress. It is high time that Drupal fixes the bug, before it gets black-listed by the webmasters.

Create data driven applications in Qlik’s free and easy to use coding environment, brought to you in partnership with Qlik.

Topics:
drupal ,cms

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}