Content management systems or CMSs, over the last decade, acquired an impressive number of users. Nowadays, they are widely used among web designers and developers for building feature-rich and intuitive websites. Needless to say, this immense popularity has resulted in a vast range of robust and developer-friendly CMSs. In this assortment of CMSs, some managed to establish themselves as the leaders, and Drupal is one them!
This robust and developer-friendly tool struck the right notes with technocrats, industry leaders, and internet users, alike. It is typically used to create complex, advanced, and versatile sites. However, proving the old saying "every coin has a flip side" true, Drupal too has a darker side!
Challenge # 1 - During the update process, it gets exposed to a number of serious malware and bugs. This further provides an easy access for the hackers to get into the system and corrupt installations through update packages. In some worst case scenarios, they might even hack into the servers and badly affect the site.
Though Drupal does not enjoy much popularity as compared to its counterparts like WordPress and Joomla, it is fairly useful for some serious content management businesses. Moreover, it is also one of the most used platforms to build enterprise-ready, huge-scale, and customizable websites.
Challenge # 2 - An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality.
The update process downloads a plaintext version of an XML file at http://updates.drupal.org/release-history/drupal/7.x and checks to see if it is the latest version. This XML document points to a backdoored version of Drupal.
The current security update (named on purpose "7.41 Backdoored")
The security update is required and a download link button
The URL of the malicious update that will be downloaded
Challenge # 3 - Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.
Like a lot of other modern CMS, Drupal gets automatically updated from its backend admin panel with the click of a button. However, Drupal has already marked version 7 and 8 as updated, even when the automated patching process fails, owing to a number of dead internet links.
Moreover, pointing to other vulnerabilities, it is a surprise that the update process is made over HTTP instead of HTTPS. Needless to say, this further provides easy access for hacker attacks over public networks.
All of this may sound intimidating, given it is a top CMS, and since it is widely used to develop complex, advanced, and versatile sites, e.g. to be used as a platform for an online store. In fact, if these flaws are not corrected, chances are that webmasters may switch to more secure platforms such as Joomla or WordPress. It is high time that Drupal fixes the bug, before it gets black-listed by the webmasters.