10/17/2014

year old drupal critical securitybug effectively attacked now - patch available

If you have a drupal site you should start immediately the upgrade. THe drupal people say that patching enough is not enough and won't guarantee that there no other bugs in the code. This means that you have to upgrade to the latest version that came out yesterday. 

This is a very critical bug because it lets anyone without any authentification inject all the code that they want in your website or even take control over your website. 

The drupal site also says that there are NO rules in the WAF (web application Firewall) that are so coherent that will protect against all the different kinds of attacks that can be performed with this bug. 

On the drupal site people also say that attacks coming out of Russia (do you need traffic coming out of Russia ? I don't so I just drop it)  are ongoing and permanent. Several succesful attackcodes are available at pastebin and elsewhere. 

This bug was in the public list of bugs for over a year before anyone took notice and shows another time the single biggest issue with those opensource projects. All the developers were at the time at their conference when the code and attacks started (so there was some social engineering in the timing of the attacks which is typical of modern day professional attacks). 

https://www.drupal.org/node/2357241 

https://www.drupal.org/SA-CORE-2014-005

Nobody is going to complain if you put now your site in maintenance for a short while so you can upgrade like you should

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.