drupal http://drupal.sh/taxonomy/term/1 en Cambridge Analytica website runs a critically vulnerable version of Drupal http://drupal.sh/cambridge-analytica-drupal-vulnerable <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Cambridge Analytica website runs a critically vulnerable version of Drupal</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2018-03/drupal-cambridge-analytia.png?itok=eyFVu9au" width="480" height="360" alt="Drupal Cambridge Analytica" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>tl;dr: The Cambridge Analytica site is using a version of <a href="https://drupal.org/">Drupal</a> that has an easy XSS exploit using vulnerability SA-CORE-2018-001.</p> <p>Yesterday there was a major security vulnerability announced in the Drupal Content Management System. All supported versions were open to a trivial XSS (Cross Site Scripting) vulnerability. Just like the Drupalgeddon vulnerability in 2014 this is a very serious issue that is easy to exploit. <strong>Drupalgeddon</strong> caused thousands of site to be exploited, one of the most common ones is the Panama Papers leak caused partly by an unpatched Drupal installation.</p> <p>In recent news the biggest information / data leak has been the debacle where Facebook data was used by Cambridge Analytica to affect political voting in a number of locations. You would thing that <strong>Cambridge Analytica</strong>, holding such key data would be adamant on high grade security. Seems like it is not the case as their main website is running a vulnerable version of <strong>Drupal 8</strong>. The security issue is marked as critical and has a number of patches rela<img alt="Drupal readme revealing vulnerable version" data-entity-type="file" data-entity-uuid="f453d1c0-3588-479c-b191-d4d1f6db9469" src="http://drupal.sh/sites/default/files/inline-images/drupal-readme.png" style="float:left;margin:1em;max-width:480px;" class="align-right" />ted to it.</p> <p>In the change log details (<a href="https://cambridgeanalytica.org/core/CHANGELOG.txt">https://cambridgeanalytica.org/core/CHANGELOG.txt</a>) the version of Drupal running is (as of 03/29/2018 - 16:24) version 8.4.5. The version is dated in February 20th 2018, and fixes another Drupal security issue (<strong>SA-CORE-2018-001</strong>). This version has had <a href="https://drupal.sh/drupal-critical-vulnerability-exploit-sa-core-2018-002">public vulnerabilities</a> for 24 hours now. Because of the trivial nature, it is likely that there are already exploits against the exposed vulnerability (SA-CORE-2018-001).</p> <p>So it might be that Drupal will again be a tool to leak critical information due to a security issue, should<a href="https://cambridgeanalytica.org"> the Cambridge Analytica site</a> built with Drupal 8 have any sensitive data or connections to APIs that do. Currently it seems the Cambridge Analytica Drupal is a multisite install, with at least the following sites vulnerable:</p> <ul><li><a href="https://cambridgeanalytica.org/core/CHANGELOG.txt">https://cambridgeanalytica.org</a></li> <li><a href="https://ca-commercial.com/">https://ca-commercial.com</a></li> <li><a href="https://ca-political.com/">https://ca-political.com</a></li> </ul><p>See details on the critical vulnerability in Drupal versions 7 and 8: <a href="https://www.drupal.org/sa-core-2018-002">https://www.drupal.org/sa-core-2018-002</a></p> </div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2018-03-29T16:23:23+00:00" class="field field--name-created field--type-created field--label-hidden">Thu, 03/29/2018 - 16:23</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/cambridge-analytica-drupal-vulnerable%23comment-form">Log in</a> to post comments</li></ul></div> Thu, 29 Mar 2018 16:23:23 +0000 dryer 58 at http://drupal.sh Drupal Critical Vulnerabilities Exploit (SA-CORE-2018-002) http://drupal.sh/drupal-critical-vulnerability-exploit-sa-core-2018-002 <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Drupal Critical Vulnerabilities Exploit (SA-CORE-2018-002)</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2018-03/drupaal.jpg?itok=WF_SLFiH" width="480" height="360" alt="Drupal Critical Vulnerability Exploit (SA-CORE-2018-002)" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Drupal is a content management system often used for Enterprise Content Management Projects. The tool is large and has integrated features such as a database entity system, which leaves it open to lots of attack vectors because of the large API surface.Without a central authority like <strong>Acquia</strong> handling security updates, things can be difficult to patch and there will be vulnerable installs as was the case with Drupalgeddon in 2014.</p> <p>On March 28th the Drupal Security team announced multiple vulnerabilities in supported Drupal Versions 7 and 8. The vulnerability lies deep in the Core of Drupal CMS and thus makes every Drupal installation vulnerable. The exact nature of the vulnerability is not known, but it is likely that the vulnerability will allow access to the filesystem or database.</p> <p>The individual issues in this batch of security issues in Drupal versions 7 an 8 are:</p> <ul><li> <h4>Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926</h4> </li> <li> <h4>JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927</h4> </li> <li> <h4>Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928</h4> </li> <li> <p>jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929</p> </li> <li> <p>Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930</p> </li> <li> <h4>Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931</h4> </li> <li> <h4>External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932</h4> </li> </ul><p><img alt="Drupalgeddon Redux" data-entity-type="file" data-entity-uuid="bb278326-86a6-4cf1-967c-5ae4cdb09866" src="http://drupal.sh/sites/default/files/inline-images/drupaauul2.jpg" style="max-width:480px;margin:2em;" class="align-right" /></p> <p>By exploiting Drupal vulnerabilities attackers can make sensitive user data available publicly. This is similar to what happened when <a href="https://drupal.sh/drupal-panama-papers-leaks-mossack-fonseca">a vulnerable version of Drupal was used at Mossack Fonseca</a>, leading to the largest financial papers leak in the history of man. Drupal is not a capable platform for sophisticated applications like Facebook, so similar large scale personal data leak such as the Cambridge Analytica leak is not possible.</p> <p>Popular web application platforms like Drupal are well known and widely deployed, making them easy to exploit. As opposed to the Meltdown and Spectre vulnerabilities, which required expertise. The Drupal vulnerability is much easier to exploit as the upgrade process is not prompted automatically, and machines are always connected. This is a downside of popular platforms, especially ones that can be crawled automatically as WordPress bots are often working.</p> <p>More details from Drupal.org site: https://www.drupal.org/sa-core-2018-001</p> </div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2018-03-28T18:09:08+00:00" class="field field--name-created field--type-created field--label-hidden">Wed, 03/28/2018 - 18:09</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/51" property="schema:about" hreflang="en">exploit</a></li> <li><a href="http://drupal.sh/taxonomy/term/52" property="schema:about" hreflang="en">vulnerability</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-critical-vulnerability-exploit-sa-core-2018-002%23comment-form">Log in</a> to post comments</li></ul></div> Wed, 28 Mar 2018 18:09:08 +0000 dryer 57 at http://drupal.sh Why is Drupal now the second most hated platform behind SharePoint? http://drupal.sh/drupal-hated-sharepoint-platform-stack-overflow <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Why is Drupal now the second most hated platform behind SharePoint?</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2018-03/drupal-sharepoint.jpg?itok=lDd3Zy4K" width="480" height="361" alt="Drupal is the new Sharepoint" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The annual Stack Overflow <a href="https://insights.stackoverflow.com/survey/2018/?utm_source=jorma&utm_medium=jorma&utm_campaign=jorma">Developer Survey Results are in for 2018</a>. The world's leading developer platform draws together unique insight on the technology landscape from over a 100,000 developers. The trends are continually changing in the technology world.</p> <p>What was the hottest thing just last week might no longer be that, in fact it's seen as horrible legacy. This certainly seems to be the case for <strong>Drupal</strong>, which is now the second most dreaded development platform just behind <strong>Microsoft SharePoint</strong>.</p> <p>Drupal has been around soon for over twenty years and it has certainly had a good run. From humble beginnings the tool grew to a hegemony in some markets during the early 2010's when everything "had a module for that". Almost everyone loved Drupal.</p> <p>Now some years later after the launch of Drupal 8, the tool is clearly targeted towards enterprise project implementations. <strong>Acquia</strong> is driving the tool to that direction, whether it admits it or not:</p> <blockquote> <p>This is probably largely due to the fact that Drupal has gone after the enterprise market and there is a much smaller number of installations it can potentially reach. Granted that these are more valuable. As a complex tool Drupal also no longer as attractive to enthusiasts and tinkerers, many of which are now opting for WordPress, Craft CMS or something completely different instead.<br /> - <a href="http://drupal.sh/has-drupal-adoption-stalled-enterprise">Has Drupal adoption stalled because it's now enterprise tech?</a></p> </blockquote> <p>Drupal no longer has the dev-appeal of being a nimble and fast tool to work with. JavaScript, Serverless and other technology trends are drawing developers where Drupal is increasingly seen as a complex tool. Drupal itself might be reasonably nimble, but the projects done with done with it are now largely enterprise scale. The <a href="http://drupal.sh/drupal-market-share-trends-statistics">number of Drupal installations has stayed stagnant</a>, while the business developers' coveted deal size has grown.</p> <p>There's no arguing Drupal is more capable and better than ever, but it's no longer a developer's favourite. You could <a href="http://drupal.sh/in-a-world-of-microservices-is-drupal-an-unwanted-swiss-army-knife">try to shoehorn Drupal into Microservices</a>, but that's <a href="https://react-etc.net/entry/drupal-react">lipstick on a pig like adopting React</a>. This is the reason why it's falling like a rock in developer mindsets, this will eventually make <a href="https://drupal.sh/drupal-burning-platform">agencies see Drupal as a burning platform</a> too as they struggle to attract top talent willing to use Drupal. Eventually customers will also see Drupal as a sunset technology. Hell, even <a href="https://dri.es/announcing-node-js-on-acquia-cloud">Acquia is distancing itself from Drupal with Node.js</a> and React.</p> <p>Unfortunately there's no easy way of changing this, and with SharePoint changing it's market it is likely that Drupal will become the most hated platform. There's plenty of money to be made in Drupal, but much less fun than before. And <a href="https://drupal.sh/drupal-discrimination-larry-garfield">the discrimination of community members</a> is not helping. Come for the software, leave for the community?</p> <p>Below you can see <a href="https://insights.stackoverflow.com/survey/2018/?utm_source=jorma&utm_medium=jorma&utm_campaign=jorma#technology-most-loved-dreaded-and-wanted-platforms">the most dreaded platforms in 2018</a>: SharePoint, Drupal, Salesforce, Mainframe, Windows Phone, WordPress<img alt="Drupaal" data-entity-type="file" data-entity-uuid="e42ba525-ed36-4003-bb58-9dd15e910188" src="http://drupal.sh/sites/default/files/inline-images/stack-overflow-drupal-sharepoint.png" class="align-right" /></p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2018-03-16T07:40:10+00:00" class="field field--name-created field--type-created field--label-hidden">Fri, 03/16/2018 - 07:40</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/50" property="schema:about" hreflang="en">sharepoint</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-hated-sharepoint-platform-stack-overflow%23comment-form">Log in</a> to post comments</li></ul></div> Fri, 16 Mar 2018 07:40:10 +0000 dryer 56 at http://drupal.sh GraphQL, React and Next.js for Drupal developers http://drupal.sh/graphql-react-next-drupal <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">GraphQL, React and Next.js for Drupal developers</span> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Drupal is a popular enterprise grade Content Management System (CMS) that has traditionally been built around the PHP server side programming language. In addition Drupal also adopted jQuery and Backbone JavaScript libraries relatively early. With <a href="https://symfony-cms.net/drupal-8">Drupal 8</a> finally bringing Drupal up-to-par on heavyweight Object Oriented Programming methodologies, it is now a more worthy contender to systems built with enterprise grade tools written in Java and .NET.</p> <p>Nevertheless the technology landscape on in web development is constantly changing, and as a monolithic system built to serve a wide audience Drupal is never on the bleeding edge. This is why Drupal developers need to wait and see what surfaces as a winning solution, even if it means using some antiquated approaches in the meanwhile. In the recent times the Drupal community has woken up to some technologies already widely in use by more innovative Open Source communities like JavaScript, Python and Golang.</p> <p>Here are a few technologies that Drupal developers can try to catch up, before the bleeding edge deems them harmful legacy:</p> <ul><li><a href="graphql.org">GraphQL</a> is a protocol that allows for easy communications in server-client architectures. Since it's launch in 2015 the protocol has gained momentum and now going into 2018 <a href="https://react-etc.net/entry/graphql-has-momentum">GraphQL is gaining critical mass</a>. With many mature client libraries like <a href="https://react-etc.net/entry/apollo-vs-relay-modern">Apollo and Relay Modern</a> on the market, there is no shortage of server implementations either. For Drupal there is already a module in development that allows developers to use <a href="https://www.drupal.org/project/graphql">Drupal with GraphQL</a>.</li> <li><a href="http://reactjs.org/">React</a> is a view library for JavaScript. This is now the most popular way of developing JavaScript applications. Using React developers can create declarative interfaces where they concentrate on what needs to happen instead how how, like when working with DOM manipulation with jQuery. React has been adopted by WordPress years ago, and now Drupal is trying to catch up with <a href="https://nodejs.org/en/">Acquia pushing for inclusion of React into Drupal</a> when the two PHP CMS titans battle for marketshare.</li> <li><a href="https://github.com/zeit/next.js/">Next.js</a> is a JavaScript framework. As opposed to regular concepts of a framework Next does not run on the server or in the browser exclusively. It is a universal framework that runs the same exact JavaScript code on the server and the client. Notably Next.js uses React.js as it's view layer. It offers great performance an Search Engine Optimisation (SEO) capability, because the react code is rendered on the server using SSR (Server Side Rendering)</li> </ul><p>For Drupal developers this is great as you can choose to build on the same skillset as above to build decoupled sites and applications using familiar technologies, but you can also <a href="https://symfony-cms.net/qraphql-frees-you-from-cms-ecosystems">decouple yourself from a single CMS</a> because React and Next are all universally applicable and can be used with <a href="https://www.react-etc.net/entry/graphql-cms-alternatives-in-2018">any GraphQL capable CMS</a>.</p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-10-06T19:06:33+00:00" class="field field--name-created field--type-created field--label-hidden">Fri, 10/06/2017 - 19:06</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/2" property="schema:about" hreflang="en">graphql</a></li> <li><a href="http://drupal.sh/taxonomy/term/25" property="schema:about" hreflang="en">react</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/graphql-react-next-drupal%23comment-form">Log in</a> to post comments</li></ul></div> Fri, 06 Oct 2017 19:06:33 +0000 dryer 54 at http://drupal.sh Tracking Drupal usage in 2017 and future market share with Google Trends and the Drupal Registry http://drupal.sh/drupal-market-share-trends-statistics <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Tracking Drupal usage in 2017 and future market share with Google Trends and the Drupal Registry</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2017-05/drupal.png?itok=iJpDe_Zw" width="320" height="302" alt="Drupal logo" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p> </p> <p>In the recent times there has been much said about the market share of Drupal and where it is moving. It is clear now that Drupal will never match the prowess that WordPress can claim, but it is still interesting to see where the powerful Open Source CMS will move in the future regards in volume.</p> <p>The Drupal project itself lists usage statistics for both <a href="https://www.drupal.org/project/usage/drupal">the core platform</a> and the modules that are needed to bolster up the bare-bones core of the product for it to be usable for anything beyond basic publishing tasks. The project's internal statistics have been flatlining since January 2015, with total usage going at about 1.2 million sites. However these numbers don't look very reliable since there are big shifts in there.</p> <p>In addition it could be argued that any statistics provided by the first party are never very reliable. This is why it's good to take a look at the <a href="https://trends.google.com/trends/explore?q=drupal">Google Trends graphs for Drupal</a>. These come from the largest global information interest source, Google so they are very reliable and represent larger trends quite well.</p> <img alt="Drupal usage decreasing steadily" data-entity-type="file" data-entity-uuid="3404a38f-acaf-42f5-a7c7-1865a1e3ecb6" src="http://drupal.sh/sites/default/files/inline-images/drupalstatix.png" class="align-center" /><p>Unfortunately it looks like the trend seems to be similar to that of what Drupal itself is experiencing. A continuous decline since 2009 has been the trend, which coincides with <a href="http://drupal.sh/drupal-burning-platform">the decreasing number of new user registering to Drupal.org</a>. But with the project leaders touting continuous success and strong momentum it's hard do understand where these trends derive from.</p> <p>To understand the concrete changes in the Drupal market share scenery it's good to take a look at who has been using Drupal, but is no longer doing so. For this there is an online service called <a href="http://drupal-registry.com">the Drupal Registry</a>, which tracks a large number of Drupal powered sites to see when they are using Drupal.</p> <p>The Drupal Registry uses machine learning techniques and sophisticated big data analysis to keep tabs on how the Drupal adoption changes globally over a period of time. With their deep learning algorithms and distributed cloud databases applying Map/Reduce to the data lake, they can provide deep insight and predictive analysis into how the Drupal market share will evolve in the future, not just providing historical data.</p> <p>Armed with this data you can make informed decisions whether Drupal is something for you as a professional or a business owner to invest time and money into Drupal based solutions going forward. All without employing in-house data scientists.</p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-05-09T12:38:48+00:00" class="field field--name-created field--type-created field--label-hidden">Tue, 05/09/2017 - 12:38</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/44" property="schema:about" hreflang="en">market share</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-market-share-trends-statistics%23comment-form">Log in</a> to post comments</li></ul></div> Tue, 09 May 2017 12:38:48 +0000 dryer 51 at http://drupal.sh Drupal, Dries and the Larry Garfield discrimination http://drupal.sh/drupal-discrimination-larry-garfield <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Drupal, Dries and the Larry Garfield discrimination</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2017-07/drupal.png?itok=gKjIeVXU" width="480" height="161" alt="Drupal discrimination" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Drupal has been big on diversity and inclusion, priding itself on being one of the biggest, friendliest open source communities around. As such, it has been a prime hotspot for activists to push feminist-flavored social justice rhetoric. They adopted a code of conduct, established a Community Working Group, and basically bend over backwards to satisfy the demands of those who see the open source world as a problematic place where meritocracy is used to justify gatekeeping and elitism.</p> <p>On top of this, there is a tangled web of commercial interests mixed in, with the project's 'benevolent dictator' Dries Buytaert being both chairman of the non-profit Drupal Association (which runs the DrupalCon conferences) and the founder of Acquia, a very large enterprise that employs many of the core people in the community. Combine this with a cottage industry of web shops serving small-and-medium-enterprises, and you get a lot of tug-of-war arguments over how the project should evolve. The project has already forked once over such disagreement.</p> <figure role="group" class="caption caption-img align-left"><img alt="Dries Buytaert Chat Log" data-entity-type="file" data-entity-uuid="ddb7533e-2a2b-4661-b5a9-d3621b4ef5ca" height="396" src="http://drupal.sh/sites/default/files/inline-images/drupal1_0.jpg" width="320" /><figcaption>Dries Buytaert describing situation in a private chat log</figcaption></figure><p>In March 2017, Larry Garfield, a high profile contributor, posted a blog post titled "<a href="https://www.garfieldtech.com/blog/tmi-outing">TMI about me</a>", in which he revealed he had been asked to step down by Dries from the community, and had been removed as a speaker and track curator for DrupalCon. He revealed that he was into the kinky BDSM lifestyle known as Gor, and that someone had dug up a profile of his on a fetish dating site. Based on his statements about consensual master/slave relationships, the image had been created that he was a misogynist who considered women inferior. This whisper campaign had been going on since October.</p> <p>In the ensuing drama, a dossier was leaked, compiled by people on the diversity and inclusion channel on the Drupal Slack, featuring various tweets of his taken out of context, to further paint the image of Garfield as a chauvinistic wrongthinker. It also came out that he supposedly brought a woman to DrupalCon whom he was in dom/sub relationship with, and some people took offense at the implications that he had a female slave. It is alleged that this dossier was used to pressure the DA into action as a form of blackmail.</p> <p>The Drupal Association and Dries published a statement, and it went back and forth for a while between more of Larry's blogging and more statements. Many felt the DA was being evasive and disingenuous, contradicting itself on whether conduct or moral values were the issue. Others saw the Garfield case as a prime example of the problems they see all over open source and tech, and took the other side. A Drupal Confessions site was created where people published their objections to the drama, some by name, others anonymously, opposing the Association's inept handling and the witch-hunters' sense of moral superiority.</p> <figure role="group" class="caption caption-img align-right"><img alt="Larry Garfield doxxing" data-entity-type="file" data-entity-uuid="50160f3e-4a4a-4bec-9ccb-6435493c611a" height="157" src="http://drupal.sh/sites/default/files/inline-images/drupal2.jpg" width="338" /><figcaption>According to Dries Buytaert Larry Garfield has woman slaves and has brought them to Drupal events</figcaption></figure><p>Attempts were made to solicit feedback on community governance, and the drama mostly fizzed out the last few months. Now the DA has published a new statement out of the blue, suggesting it's the end result of talks behind closed doors between the affected parties, but once again deflecting blame away from them and onto Larry. It is anyone's guess why they feel the need to publicly draw this out again, but one can guess that this could be a pre-emptive defense to further legal proceedings against them.</p> <p>Source: <a href="https://www.drupal.org/association/blog/drupal-association-and-project-lead-statement-regarding-larry-garfield">At least the PHP community is not as toxic as the Drupal one</a></p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-04-15T06:06:07+00:00" class="field field--name-created field--type-created field--label-hidden">Sat, 04/15/2017 - 06:06</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/45" property="schema:about" hreflang="en">crell</a></li> <li><a href="http://drupal.sh/taxonomy/term/46" property="schema:about" hreflang="en">larry</a></li> <li><a href="http://drupal.sh/taxonomy/term/47" property="schema:about" hreflang="en">garfield</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-discrimination-larry-garfield%23comment-form">Log in</a> to post comments</li></ul></div> Sat, 15 Apr 2017 06:06:07 +0000 dryer 52 at http://drupal.sh Drupal 8 lead PHP developer Larry Garfield (Crell) forced to leave the project http://drupal.sh/drupal-8-lead-developer-larry-garfield-crell-forced-to-leave-project <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Drupal 8 lead PHP developer Larry Garfield (Crell) forced to leave the project</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2017-04/drupal8.png?itok=b0Div1QI" width="296" height="335" alt="Drupal 8 logo" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Over the last few weeks the Drupal community has been in turmoil over the news that Drupal 8 lead developer Larry Garfield AKA Crell has been forced to <a href="http://buytaert.net/living-our-values">leave the project</a>:</p> <blockquote> <p><br /> A few weeks ago, I privately asked Larry Garfield, a prominent Drupal contributor, to leave the Drupal project. I did this because it came to my attention that he holds views that are in opposition with the values of the Drupal project.</p> </blockquote> <p>This comes due to personal differences in thinking of the Project Lead Dries Buytaert and Larry. The exact reasons remain murky, but no crimes have been done - this much is certain.</p> <p>Larry has been open in his communication from his part, in a series of articles - ending with <a href="//www.garfieldtech.com/blog/tmi-part-3">Regarding the continued mystery</a>. In the meanwhile the Drupal Association has also been <a href="https://www.drupal.org/association/blog/working-through-the-concerns-of-our-community">communicating to the community</a>, and <a href="http://buytaert.net/next-steps-for-evolving-drupal-governance">Dries has promised expediting organisational changes</a> to the Drupal Association.</p> <p>While the backstory remains unclear the bottom line is that for the Drupal project Larry is a great loss. He was fundamental in architecting the underpinnings that make <a href="https://symfony-cms.net/drupal-8">Drupal 8</a> tick, actively developing as well as maintaining relations with the broader PHP community.</p> <p>Apparently Larry had already been looking at focusing on other things, and this was key in Dries' decision to enforce his power to expel him from the project. Regardless of whether or not Drupal will continue to be a large part in Larry's life, we hope all the best for him both professionally and personally.</p> <p>It's worth nothing that these news comes in just months after the ousting of another key member of the Drupal community, Karoly Négyesi (chx) following <a href="http://drupal.sh/karoly-negyesi-chx-ousted-from-drupal-community">accusations over edgy personality</a>. The key teaching here is that Open Source is very much politics and committing yourself too much into a single project with a strong leader can be risky.</p> <p>Looks like the Drupal community has already felt the tremors in the form of the <a href="https://www.drupalconfessions.org">Drupal Confessions</a> movement:</p> <blockquote>As you are painfully aware, recently a controversy erupted in our community that has shaken the community to its core, one which has shocking implications for all those of us who work in the Drupal community; one which has caused all of us to question our desire for continued involvement in the project.</blockquote> <p>It looks like the upcoming Drupalcon Baltimore in the US later this month will be an interesting event and can be a significant watershed for the Drupal project.</p> <p><strong>Update</strong>: In some recent news the Drupal Community Working group has taken to say that <a href="https://docs.google.com/document/d/1Qlc0FvM4UWyn4DpW8JKRcVqnHAIdrj2INOZZF62s_Pc/edit">Larry has NOT been officially exiled from Drupal</a>, but that this is only Dries personal move which is yet to be ratified. In the meanwhile Klausi, who originally did reporting on Larry's activities has been temporarily <a href="https://www.drupal.org/node/2870315">banned from Drupal</a>:</p> <blockquote> <p>The Community Working Group asked me to step down as core maintainer and PHPUnit initiative lead in order to allow the community time to heal and to give others time to rebuild trust with me. I agreed to that.</p> </blockquote></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-04-14T18:47:03+00:00" class="field field--name-created field--type-created field--label-hidden">Fri, 04/14/2017 - 18:47</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/42" property="schema:about" hreflang="en">acquia</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-8-lead-developer-larry-garfield-crell-forced-to-leave-project%23comment-form">Log in</a> to post comments</li></ul></div> Fri, 14 Apr 2017 18:47:03 +0000 dryer 50 at http://drupal.sh Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk</span> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="Drupal references" data-entity-type="file" data-entity-uuid="72ce89dc-cb49-47ff-9473-071a59e80ed8" height="225" src="http://drupal.sh/sites/default/files/inline-images/drupal-references-use.png" width="505" class="align-right" />Drupal is known for it's large number of community contributed modules that add functionality to the bare bones core system. While the core system is actively maintained by the Drupal core security team, there is no such guarantee for the third party modules.</p> <p>One such community contribution is <a href="https://www.drupal.org/project/references">"References"</a>, which is a module that allows adding references between nodes to provide for complex information architectures.</p> <p>The module is currently used by <a href="https://www.drupal.org/project/usage/references">over 120 000</a> individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as <a href="https://www.drupal.org/node/2869138">SA-CONTRIB-2017-38</a>:</p> <blockquote> <p>Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.</p> </blockquote> <p>They have reported the issue on the Drupal security site and keep details out of public the 30 days. This will be plenty of time for malicious parties to track down the issue in <a href="http://cgit.drupalcode.org/references">the source code</a>. In the past the Drupal core has had high profile security issues, some even <a href="https://drupal.sh/drupal-panama-papers-leaks-mossack-fonseca">leading to the Panama Papers leak</a>. They have been mitigated well by the security team, but because the core team is not supporting this module, they simply won't fix it. Instead they only recommend moving to another module that provides similar capability:</p> <blockquote> <p>Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.</p> </blockquote> <p>With a critical issue in an unsupported module so widely used, it is almost guaranteed that a large number of sites will be subject to attacks using this as a vector. Given the tradition of Drupal doing big backward breaks with regards to compatibility, some sites might be difficult to upgrade. Upgrading an enterprise site heavily using References may simply be impossible and hopefully drive the module to be maintained by a corporate entity.</p> <p>This issue comes at an unfortunate time when there is plenty of controversy over the Drupal project in general, over the sustainability of <a href="http://drupal.sh/drupal-burning-platform">Drupal as an Enterprise platform</a> as well as community governance over controversy of <a href="https://twitter.com/drupaldrama/status/852681690812207104">ousting key developers from the project</a>. A dependency on unmaintained third party modules does not play well with the system's ambitions to take over the enterprise market. In this case, there is simply no responsible party left for this community extension.</p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-04-14T16:32:32+00:00" class="field field--name-created field--type-created field--label-hidden">Fri, 04/14/2017 - 16:32</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> <li><a href="http://drupal.sh/taxonomy/term/6" property="schema:about" hreflang="en">security</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk%23comment-form">Log in</a> to post comments</li></ul></div> Fri, 14 Apr 2017 16:32:32 +0000 dryer 49 at http://drupal.sh Drupal is a Burning Platform? http://drupal.sh/drupal-burning-platform <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Drupal is a Burning Platform?</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2017-04/drupal-fire.png?itok=lM8Mn2yh" width="239" height="239" alt="Drupal on fire" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Some six years ago a company CEO wrote this <a href="https://www.forbes.com/sites/ericsavitz/2011/02/09/ceos-burning-platform-memo-highlights-nokias-woes/#357f87168296">infamous email</a> to his employees:</p> <blockquote> <p><em>There is a pertinent story about a man who was working on an oil platform in the North Sea. He woke up one night from a loud explosion, which suddenly set his entire oil platform on fire. In mere moments, he was surrounded by flames. Through the smoke and heat, he barely made his way out of the chaos to the platform's edge. When he looked down over the edge, all he could see were the dark, cold, foreboding Atlantic waters.</em><br />  </p> <p><em>As the fire approached him, the man had mere seconds to react. He could stand on the platform, and inevitably be consumed by the burning flames. Or, he could plunge 30 meters in to the freezing waters. The man was standing upon a "burning platform," and he needed to make a choice.</em></p> <p><em>He decided to jump. It was unexpected. In ordinary circumstances, the man would never consider plunging into icy waters. But these were not ordinary times - his platform was on fire. The man survived the fall and the waters. After he was rescued, he noted that a "burning platform" caused a radical change in his behaviour.</em></p> <p><em>We too, are standing on a "burning platform," and we must decide how we are going to change our behaviour.</em></p> </blockquote> <p>This company was Nokia, the then largest manufacturer of mobile phones. This juggernaut had shaped the telecom industry standards and had been a market leader for many years. Since that memo sent to the staff regarding their outdated technical platform, Symbian, the company has went through some radical times. First adopting Microsoft's Windows Phone operating system, then selling the arm to the US software company all together.  Noteworthy that there are no phones on the market built by that company.</p> <figure role="group" class="caption caption-img align-right"><img alt="Drupal Community Registration Statistics from 2001 to 2016" data-entity-type="file" data-entity-uuid="46786f9c-7bf3-4ace-a431-b096ead3ab98" height="320" src="http://drupal.sh/sites/default/files/inline-images/drupal-decline.jpg" width="256" /><figcaption>Drupal.org registrations from 2001 to 2016 (http://bit.ly/2o2kmJC) </figcaption></figure><p>Back in 2011 Drupal 7 was just released and the Drupal community was gaining force rapidly. But during the last year or so, the story about the burning platform rings to the ear of Drupalers. Since the launch of <a href="https://drupal.sh/drupal-8-is-released">Drupal 8</a> there has been some stagnation in the market in regards to the new version taking of, but most importantly there has been too much chatter about things not related to the project. This is a typical focus for a company/product that is past it's prime.</p> <p>With members such as <a href="http://drupal.sh/karoly-negyesi-chx-ousted-from-drupal-community">Karoly Négesi (chx)</a> and <a href="https://www.garfieldtech.com/blog/tmi-part-3">Larry Garfield (Crell)</a> ousted from the community, the official emails from the Drupal leadership increasingly sound like reassuring communication from the well paid leader of the enterprise. There is a lot at stake here with the investment of time and money from companies and individuals, but it seems like the Nokia leadership in it's time have acted too late to take radical action - instead yielding to conservative values to protect it's position. This isn't helped by murky relations between <a href="https://drupal.sh/relationship-drupal-acquia">Acquia and Drupal</a>.</p> <p>While the <a href="https://twitter.com/tcmug/status/800641889158447104">Drupal.org community growth</a> has been slowing and <a href="https://drupal.sh/has-drupal-adoption-stalled-enterprise">Drupal growth being flat</a>, It has been noted that the Drupal project itself has slowly been aligning itself for bigger things, in the spirit of continued growth. This has come at a compromise to the old values, which have <a href="https://www.ostraining.com/blog/drupal/drupal-controversy/">not gone unnoticed</a>:</p> <blockquote> <p>However, interesting times bring excitement, but also tension and stress. You can sense those feelings in the Drupal community right now, for these reasons and more:</p> <ul><li>Drupal 8 adoption has been noticeably slower than with other versions.</li> <li>Dries changed a fundamental Drupal principle and <a href="http://buytaert.net/making-drupal-upgrades-easy-forever">promised that all future upgrades would be smooth</a>.</li> <li>Drupal seems to be changing it's audience towards enterprise users, with a heavier reliance on developer tools such as Composer.</li> <li>The Drupal Association has been struggling with financial problems and leadership changes.</li> <li>Ambitious ideas, such as experimental modules in the core, haven't yet worked out as well as hoped.</li> <li>Some big Drupal agencies have struggled to maintain their rapid growth, and some have shrunk or left the market.</li> </ul></blockquote> <p>It seems that riven by a long hegemony of continued growth, Drupal has failed to renew itself. Drupal 8 is a major rewrite of the technical platform, but failed to deliver on any <a href="https://www.nngroup.com/articles/definition-user-experience/">user experience</a> improvements. Now this sounds very similar to what Nokia did with the Symbian platform, which didn't end well for Symbian. Drupal 8 is also <a href="https://www.reddit.com/r/drupal/comments/64iwbz/next_steps_for_evolving_drupals_governance/dg2xhps/">criticised for complexity and being late-to-the-market</a>, due to the overly long development process.</p> <p>In order to take a radical change, Nokia adopted Windows Phone as their choice of Operating Systems. Similarly to this, the Drupal leadership has noticed how Drupal is failing to deliver on eCommerce and is embracing the (aging) market leader <a href="https://www.acquia.com/about-us/newsroom/press-releases/acquia-magento-commerce-forge-partnership-unify-content-and">Magento through a partnership</a> instead. Two turkey's don't make an eagle?</p> <h2>Drupal's architecture is sunset technology</h2> <p>Perhaps one of the reasons for Drupal's decline is the position of the market leader, but underneath is a bigger change that Drupal may simply be unable to respond to. The modern smartphone industry was essentially created a decade ago by Apple. Symbian was the dominant platform before, but simply could not deliver the experience due to technical constraints. Of course there could have been a complete rewrite, but with so much baggage it cannot be done. Same goes for Drupal with it's<a href="https://www.drupal.org/news/drupal-15-years-old-and-still-gaining-momentum"> 15+ year legacy</a> in concepts and a heavily PHP focused community.</p> <p>For Drupal that market is Content Management Systems. For the longest time CMSes were selected largely on the features they could provide. With Drupal's large selection of modules it almost always came out on top, not because it was necessary the best choice - but a decent compromise. This sounds a lot like what Symbian smartphone was, a feature packed phone with decent battery life but a pretty horrid user experience (in hindsight).</p> <p>The iPhone for the Drupal market are microservices. Instead of building a single monolith with all the bells and whistles, more and more companies and organizations are composing their content management solutions from smaller parts, where sometimes a simple Content API is enough. There is room for <a href="http://drupal.sh/in-a-world-of-microservices-is-drupal-an-unwanted-swiss-army-knife">Drupal in microservices</a>, but it will no longer be the dominant entity in this kind of architectures. Drupal has not lost it's unique technical edge, but that edge is just not as relevant. </p> <p>With Drupal continuously investing in in-site editing and other highly consolidated features it feels a bit outdated already. Since Drupal 7 JavaScript has actually become the leading force for contemporary web development, yet Drupal has not chosen a clear path here. There are some initiatives like the <a href="https://www.drupal.org/project/waterwheel">Drupal Waterwheel initiative</a>, but these are adopted by only a handful of people. Same goes for the aspirations of Drupal as a desktop application platform.</p> <p>Add to all of this PHP is increasingly not the first language that new web developers pick up. Instead JavaScript has become the dominant new language, and this is an area where Drupal is playing catch-up at best with it's aged front end architecture. And with the track record in renewing the user experience, we're not holding our breaths.</p> <p>Nowadays Drupal is seen by many as the Sharepoint of the JavaScript generation - a tool they don't want to use, but one that is pushed to them by the enterprise. Drupal is no longer the enthusiast's choice, and this means the start of a long and slow decline.</p></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2017-04-11T03:42:47+00:00" class="field field--name-created field--type-created field--label-hidden">Tue, 04/11/2017 - 03:42</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/drupal-burning-platform%23comment-form">Log in</a> to post comments</li></ul></div> Tue, 11 Apr 2017 03:42:47 +0000 dryer 48 at http://drupal.sh Drupal, WordPress, Joomla vulnerable due to PHPMailer http://drupal.sh/php-cms-wordpress-joomla-drupal-vulnerable-phpmailer <span property="schema:name" class="field field--name-title field--type-string field--label-hidden">Drupal, WordPress, Joomla vulnerable due to PHPMailer</span> <div class="field field--name-field-image field--type-image field--label-hidden field__item"> <img property="schema:image" src="http://drupal.sh/sites/default/files/styles/large/public/2016-12/68747470733a2f2f7261772e6769746875622e636f6d2f5048504d61696c65722f5048504d61696c65722f6d61737465722f6578616d706c65732f696d616765732f7068706d61696c65722e706e67.png?itok=3keOGDNh" width="340" height="90" alt="php mailer" typeof="foaf:Image" class="image-style-large" /></div> <div property="schema:text" class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>PHPMailer, a popular class used by popular web CMSes like WordPress, Joomla and Drupal has been found to be vulnerable to a bug that allows execution of arbitrary code. PHPMailer is the most popular utility class for sending emails with PHP. There are an estimated 9 million sites of it live on the internet currently, most of them vulnerable.</p> <p>The issue is not trivial as it allows attackers to exploit millions of websites that are deployed from small businesses to giant corporations. The issue, now tracked as CVE-2016-10033, was made public by Dawid Golunski.</p> <p>The original library is now fixed, but sites running Drupal, WordPress and Joomla will require an upgrade procedure to deploy the fix. more details:</p> <ul><li><a href="https://www.drupal.org/psa-2016-004">PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004</a></li> <li><a href="https://github.com/opsxcq/exploit-CVE-2016-10033">PHPMailer < 5.2.18 Remote Code Execution</a></li> <li><a href="https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/">Critical Vulnerability in PHPMailer. Affects WP Core.</a></li> </ul></div> <span rel="schema:author" class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="http://drupal.sh/user/1" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">dryer</span></span> <span property="schema:dateCreated" content="2016-12-28T09:34:19+00:00" class="field field--name-created field--type-created field--label-hidden">Wed, 12/28/2016 - 09:34</span> <div class="field field--name-field-tags field--type-entity-reference field--label-above clearfix"> <h3 class="field__label">Tags</h3> <ul class="links field__items"><li><a href="http://drupal.sh/taxonomy/term/36" property="schema:about" hreflang="en">wordpress</a></li> <li><a href="http://drupal.sh/taxonomy/term/43" property="schema:about" hreflang="en">joomla</a></li> <li><a href="http://drupal.sh/taxonomy/term/1" property="schema:about" hreflang="en">drupal</a></li> </ul></div> <section rel="schema:comment" class="field field--name-comment field--type-comment field--label-above comment-wrapper"></section><div class="node__links"> <ul class="links inline"><li class="comment-forbidden"><a href="http://drupal.sh/user/login?destination=/php-cms-wordpress-joomla-drupal-vulnerable-phpmailer%23comment-form">Log in</a> to post comments</li></ul></div> Wed, 28 Dec 2016 09:34:19 +0000 dryer 47 at http://drupal.sh