Drupal takes on risky admin interface renewal to catch up with WordPress

Submitted by dryer on Tue, 05/15/2018 - 07:26

It's been official for a while now: Drupal will adopt React.js to it's administration interface. This was announced shortly after the Vienna DrupalCon, a last of it's kind held in Europe for now.

In a Drupal.org post the core team said they would be looking at a number of options, but once BDFL Buytaert put down his word, it was clear that Drupal will use React.js.

Drupal exploit "me0ws" spreads Monero malware to site visitors

Submitted by dryer on Fri, 05/04/2018 - 19:04

A month after the Critical vunerability dubbed Drupalgeddon 2 hit, the expoit is now being actively exploited. Malicious attackers are using botnets to exploit Drupal at scale, most of which no longer deface the site or make their presence known at all.

Instead cracked Drupal installations are using worm like malware to take control of the server, or cluster of servers running Drupal. This allows the attackers to use the popular CMS as an attack tool, to make profit indirectly.

The velocity of Drupal vulnerability exploits raises doubts

Submitted by dryer on Tue, 05/01/2018 - 07:02

The Open Source Drupal Content Management System (CMS) has been hit with a series of vulnerabilities in the first months of 2018. The four distinct security releases (SA-CORE-2018-001, SA-CORE-2018-002, SA-CORE-2018-003, SA-CORE-2018-004) have all been labelled critical or highly critical.

Drupal remote code execution vulnerability exploited widely (SA-CORE-2018-004) - Lax security makes a dent in enterprise adoption aspirations?

Submitted by dryer on Thu, 04/26/2018 - 06:30

Drupal has had a bad first half of 2018 regarding security. Following Drupalgeddon 2 and the botnet exploits came a smaller update. This is now followed with a critical vulnerability (SA-CORE-2018-004) that allows remote code execution. The commit showing the made patches to Drupal 8.x is available online:  7bff52b3a15d

Drupalgeddon 2 Drupal vulnerability exploiting botnets emerge

Submitted by dryer on Thu, 04/19/2018 - 12:13

Several weeks after responsible hosters have patched their installations for Drupalgeddon 2, there are still many unpatched installations out there. Originally the vulnerabilities were unveiled in late March. After Checkpoint did their piece on uncovering Drupalgeddon 2, exploiters have activated on the issue.

Drupal Critical Vulnerabilities Exploit (SA-CORE-2018-002)

Submitted by dryer on Wed, 03/28/2018 - 18:09

Drupal is a content management system often used for Enterprise Content Management Projects. The tool is large and has integrated features such as a database entity system, which leaves it open to lots of attack vectors because of the large API surface.Without a central authority like Acquia handling security updates, things can be difficult to patch and there will be vulnerable installs as was the case with Drupalgeddon in 2014.