April 3, 2018 by

Content Management System Flaw Leaves 1 Million Websites Vulnerable

A vulnerability discovered in a popular CMS (content management system), Drupal, could leave some 1 million websites exposed to attack, if left unpatched.

LaLabeledy Drupal’s own developers as “highly critical”, the vulnerability allows various attack points that could enable hackers to gain complete control of a website. The vulnerability affects a number of versions including Drupal 6.x, Drupal 7.x and Drupal 8.x.

The CMS is a crucial component of a website that serves as a database to store and manage all digital input including images, photos, articles and more. A CMS fundamentally helps the website figure among major search engines like Google, Yahoo and Bing. Drupal is among a number of popular content management system such as Joomla, Kentico, WordPress and more.

According to research from BuiltWith, 37 percent of websites using a CMS rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. Drupal powers some 928,443 websites while WordPress backs nearly 20 million websites or 5.3 percent of the entire internet.

The vulnerability, dubbed SA-CORE-2018-002, was discovered by Jasper Mattsson of Druid, a development house during a routine Drupal security audit. While the Drupal team didn’t delve into specifics, the researchers do admit that hackers could compromise a Drupal-based website.

The vulnerability, according to the company’s own in-house scoring system covers:

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team stated. “The Security Team strongly recommends that the best solution is for sites to upgrade.”

Image credit: LIFARS archive.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Highly Critical Drupal SQL Injection Vulnerability Affects Millions of Websites

Up to 12 million websites compromised by exploiting a highly critical vulnerability within Drupal. Follow these steps to get your site back to safety.

Read more arrow_forward