Posted by Bevan on October 31, 2014 at 11:10pm
One of the reasons Drupageddon's impact was so large was that it was so easy to exploit. PoCs show this, and quite possibly made it easier and faster for attackers to exploit, especially attackers not so familiar with Drupal:
For example:
- 5pm Thursday 16 October, unknown timezone
- 30 minutes after announcement, I think
- Just before the announcement, in Drupal 7.32's test code and its second-to-last commit: http://cgit.drupalcode.org/drupal/commit/?id=449c702
Indeed, most attacks I have seen seem to utilize the login name-key query point of attack (as used in the test code) to begin their attacks, despite there being other vectors to this vulnerability.
Perhaps security and core policies need reconsideration to allow for code that makes an exploit too obvious to be applied at a later date to a following version of Drupal core.
Thoughts?
Comments
I believe the comment from
I believe the comment from fyukyuk that showed how to exploit the issue was posted several hours after the release was created. The email went out at Wed Oct 15 16:04:14 UTC 2014
and fyukyuk's comment was at 20:49, which is 4.5 hours later.
The post by sektion eins came out at the same moment as the advisory and it focused attention on that same area of code.
I don't personally think that the testcase is what led people to explore that area of code, but its possible.
We discussed this topic in the private queue - whether to include a testcase or not - and decided that the test that was added didn't add significantly to highlighting the path to exploit compared to other information that was going to be released at the same time.
Edited to fix link
knaddison blog | Morris Animal Foundation
Thanks for the response. I
Thanks for the response. I see now that I misunderstood the test case the first time. While it does make an exploit easier to develop, it does not directly highlight how.
Bevan/