Drupal on the BBC

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
omahm's picture
Posted by omahm on October 31, 2014 at 12:28pm

Ouch, not the kind of headlines we want Drupal to make..
http://www.bbc.co.uk/news/technology-29846539

Does anyone else think it's a dumb idea that by default, a meta generator element is added with 'Drupal 7' as a value, does this not make it easier for exploit scripts/bots?

Comments

It's super easy to

Posted by alexpott on October 31, 2014 at 12:57pm
alexpott's picture

It's super easy to fingerprint a Drupal site without the meta generator anyway - security by obscurity does not really give us anything.

Yeah, but security is a

Posted by omahm on October 31, 2014 at 1:05pm
omahm's picture

Yeah, but security is a layered approach and having your site basically advertise that it's running on a certain platform is asking for trouble. Sure the fingerprint can be determined in other ways, but it's a real gift wrapped present to exploit coders if all they have to do is look up 'generator' == 'Drupal 7'

When writing a bot that

Posted by yautja_cetanu on October 31, 2014 at 1:44pm
yautja_cetanu's picture

When writing a bot that exploits sites making things harder or easier for the coder is probably not that big a deal because they only have to write the code once.

During the downtime when drupal is secure they could just make their bot that scans for drupal sites so that when it comes to a payday they just stick in their exploit and go.

I think making sure there arn't version numbers is quite important because it would be hard to build a generic way of differenciating between minor upgrade versions and so it forces botters to try it on all drupal sites.

I think making sure there

Posted by Neil C Smith on October 31, 2014 at 7:25pm
Neil C Smith's picture

I think making sure there arn't version numbers is quite important because it would be hard to build a generic way of differenciating between minor upgrade versions and so it forces botters to try it on all drupal sites.

Judging from all the 404s we get on things like wp-admin, I'm not sure there's much discrimation at all. Just fire at everything and see what sticks! ;-)

"What Drupal badly needs but

Posted by markconroy on October 31, 2014 at 1:05pm
markconroy's picture

"What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

Yes, and as many git conflicts as possible due to auto updates (not to mention the potential to break sites if updates are rolled out automatically and not tested on each individual site).

Mark Conroy,

Lead Frontend Developer,

Annertech - Web Agency of the Year 2016.

Maybe automatic updates on by

Posted by markh_ on October 31, 2014 at 2:23pm
markh_'s picture

Maybe automatic updates on by default but you can turn them off if you want to do the update process manually.

He's asking for trouble with

Posted by aburrows on October 31, 2014 at 1:05pm
aburrows's picture

He's asking for trouble with this comment:
"Drupal should no longer rely on users to apply patches, said Mr Stockley.

"Many site owners will never have received the announcement and many that did will have been asleep," he said. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

Am I doing enough?

Posted by frankdesign on October 31, 2014 at 1:14pm
frankdesign's picture

I have patched my websites, but not within the 7 hour window. I know for sure that 4 were compromised as there was an additional user added on each site with a new role called MegaUser.

Anyway, I want to be sure that I am doing enough to protect the websites going forward. Having patched all my websites and removed the additional user and role from the 4 sites that had them, I am now working through each site and reinstalling. By reinstalling, I mean I am backing up and deleting all files from the web server. Backing up and deleting the Database and Database User. Reinstalling Drupal 7.32 and downloading and reinstalling fresh copies of all contrib modules. Setting up a new database and database user and repopulating the database from a back-up that dates from before Oct 15. I am then transferring back the theme files (checking them first to make sure there are no changes or extra files) and transferring back user uploaded files (in all cases images) having checked them for changes or additional files. Finally, I am manually adding any additional nodes/beans that my website users have added since the Oct 14 database back-up. It's a painful process - but I'm hoping it's thorough enough to protect the websites.

Is there anything else I should be doing or should be aware of?

Thanks

F

One my my sites was

Posted by markh_ on October 31, 2014 at 2:25pm
markh_'s picture

One my my sites was compromised that I'm aware of. Like Frank, user drupaldev was added with role MegaUser.

Touch wood, none of my sites

Posted by alexharries on October 31, 2014 at 4:59pm
alexharries's picture

Touch wood, none of my sites were compromised, so after applying the patch (within 8 or so hours of the original announcement), I only had to restore an earlier database and use "git status" to check for modified files.

I'm guessing a lot of people are deploying without version control on their code which must make it that much harder to see if anything important has changed?