All Drupal CMS Versions Susceptible to Exploits

If you are still using Drupal – or more likely a client insists on still using it – be aware that there are some major vulnerabilities that have yet to be patched.

Many webmasters have switched from Drupal to WordPress in recent years, but there are still many sites running Drupal.  And with many of these sites being older, Drupal has been the target of exploits previously, including the October 2014 attack that saw many Drupal sites exploited if they did not upgrade within hours of a new Drupal version being released.

There are more details on the IOActive blog about the new vulnerabilities, but one leads users to believe their site is fully updated when it is not.  Due to how Drupal handles the updating process, if the site has an issue during the updating, such as a network problem, Drupal will show that the site was upgraded to the latest version, when in fact the update attempt failed.

Another vulnerability is due to an unencrypted connection during the update process can result in an attacker eavesdropping on the network traffic to supply a fake update.  While this won’t affect most users, it could affect those who are running updates through a public network – such as public WiFi.

These possible exploits may not been patched at this time, although Drupal did just release a new patch to version 8.0.2 a few hours ago which may fix these issues.  But be sure to update your version of Drupal in a secure environment.  While most security researchers don’t publish exploits without permission or until the security holes have been patched, according to ThreatPost, Drupal gave the researcher permission to publish, although Drupal has yet to comment publicly.  But this also means that the problem is now publicized to those who could take advantage of it.

Update: Almost two days after this post, Drupal finally commented publicly here.

The following two tabs change content below.

• Bio
• Latest Posts

Jennifer Slegg

Founder & Editor at The SEM Post

Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.

Latest posts by Jennifer Slegg (see all)

• 2022 Update for Google Quality Rater Guidelines – Big YMYL Updates - August 1, 2022
• Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
• Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
• New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
• Google Updates Experiment Statistics for Quality Raters - October 6, 2020