Drupal, one of the Internet’s Top 3 CMSs is flawed by several bugs in its update process and this could allow hackers to poison installations via update packages and, in worst case scenarios, the attackers might even take over servers.
Drupal is not as popular as WordPress and Joomla, but it is used by some fairly serious content businesses and it is also mostly used to build enterprise-ready, large-scale, and highly customizable websites.
IOActive’s researcher Fernando Arnaboldi says in a post that all new Drupal installs are affected by the flawed update mechanism and that fixes are not yet available.
Like any modern CMS, Drupal can be updated automatically from its backend administration with a simple click of a button. The site also has an automatic update checker for both its modules and core. This notifies the administrator whenever a new version is out and allows them to quickly update their platform.
Arnaboldi says that sites are now at risk of more attacks now and in the future because Drupal 7 and 8 are being marked as ‘up-to-date’ even when the automated patching process fails due to dead Internet links.
“Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning,” Arnaboldi says. “In Drupal 6 there was a warning message in place, but this is not present in Drupal 7 or Drupal 8.”
Arnaboldi also noticed other vulnerabilities including that the update process is made over HTTP instead of HTTPS. And this opens up a possibility for man-in-the-middle attacks over public networks.
More so, Arnaboldi says that failure to verify the authenticity of downloaded updates could allow for remote code execution.
In the course of time, many webmasters may decide to switch from Drupal to another site like WordPress. In fact, in light of the current vulnerabilities; we could see even more defections. WordPress is probably the best CMS for webmasters, given that 25 percent of all the websites in the world have approved it and are now using the platform. WordPress is also a feature rich and affordable site builder for many small businesses.