Hot on the heels of Adobe's Acquisition of Magento, Dries Buytaert took to the web to word out his criticism of the deal. He ends the note comparing the situation with the Acquia (Drupal corporate sponsor) arch enemy product Adobe Experience Manager:
It's been official for a while now: Drupal will adopt React.js to it's administration interface. This was announced shortly after the Vienna DrupalCon, a last of it's kind held in Europe for now.
In a Drupal.org post the core team said they would be looking at a number of options, but once BDFL Buytaert put down his word, it was clear that Drupal will use React.js.
Many news outlets are now confirming the widespread outlet of cryptocurrency mining on compromised Drupal CMS installations, following a string of vulnerabilities in the system in early 2018:
A month after the Critical vunerability dubbed Drupalgeddon 2 hit, the expoit is now being actively exploited. Malicious attackers are using botnets to exploit Drupal at scale, most of which no longer deface the site or make their presence known at all.
Instead cracked Drupal installations are using worm like malware to take control of the server, or cluster of servers running Drupal. This allows the attackers to use the popular CMS as an attack tool, to make profit indirectly.
The Open Source Drupal Content Management System (CMS) has been hit with a series of vulnerabilities in the first months of 2018. The four distinct security releases (SA-CORE-2018-001, SA-CORE-2018-002, SA-CORE-2018-003, SA-CORE-2018-004) have all been labelled critical or highly critical.
Drupal has had a bad first half of 2018 regarding security. Following Drupalgeddon 2 and the botnet exploits came a smaller update. This is now followed with a critical vulnerability (SA-CORE-2018-004) that allows remote code execution. The commit showing the made patches to Drupal 8.x is available online: 7bff52b3a15d
Another critical vulnerability will be patched in Drupal on April 25th 2018. The Drupal security team posted information on this on Monday April 23rd. At 16:00 - 18:00 UTC time there will be releases for three separate lines of Drupal:
Several weeks after responsible hosters have patched their installations for Drupalgeddon 2, there are still many unpatched installations out there. Originally the vulnerabilities were unveiled in late March. After Checkpoint did their piece on uncovering Drupalgeddon 2, exploiters have activated on the issue.
tl;dr: The Cambridge Analytica site is using a version of Drupal that has an easy XSS exploit using vulnerability SA-CORE-2018-001.
Drupal is a content management system often used for Enterprise Content Management Projects. The tool is large and has integrated features such as a database entity system, which leaves it open to lots of attack vectors because of the large API surface.Without a central authority like Acquia handling security updates, things can be difficult to patch and there will be vulnerable installs as was the case with Drupalgeddon in 2014.