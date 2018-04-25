Become a fan of Slashdot on Facebook

 


For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.

  • A new twist on term 'open source' (Score:4, Funny)

    by TheZeitgeist ( 5083373 ) on Wednesday April 25, 2018 @04:11PM (#56502191)
    Apparently, the source is open more ways than one.

  • Quick! Get a drum circle together! (Score:1)

    by Anonymous Coward

    Only with the power of caring and group-think can we overcome these nasty, racist/sexist/bigoted microaggression bugs. Someone fetch a Holy (non-denominational) Scroll of Code of Conduct!

    Drupal - fix your shit. Full stop. These bugs? They're WAY more embarrassing (as viewed by the people who matter) than you spending your time kink-shaming your VOLUNTEER developers

  • How outrageous (Score:5, Funny)

    by Billly Gates ( 198444 ) on Wednesday April 25, 2018 @04:18PM (#56502221) Journal

    Drupal and php are so well secured and up to date that this can happen is simply inconceivable

    • Re: (Score:3, Funny)

      by Narcocide ( 102829 )

      Drupal and php are so well secured and up to date that this can happen is simply inconceivable

      You keep using that word... I do not think it means what you think it means.

    • Where are the sandboxes? (Score:5, Insightful)

      by goombah99 ( 560566 ) on Wednesday April 25, 2018 @04:42PM (#56502343)

      Why don't developers just write code that doesn't have security holes in it?

      Presumably because they can't. It's time we started programing computer resource sandboxes into every application by default.

      Linux and Mac, and Windows all have things for this. Macs have a dtrace based sandbox that can be per application or per process.

      sandboxes can specify what a process and all child processes can do at the computer resource level. Can they get on the network? Can they access the file system? what files can they access? do they have write permission? how much memory can they use? how much cpu? and so on.

      If we always launched processes with these clamped down a lot of security holes would not be exploitable. Why is it these are largely unused?

      • Re: (Score:2)

        by Njovich ( 553857 )

        What's the point of that when the real sensitive data is in the website? The PHP code still has to access the database. Who cares about anything else? Either way, it's pretty standard practice these days to run sites in a separate VM or otherwise sandboxed environment.

      • You mean like containers that Linux and Amazon use and very recently Windows and Azure Linux/Windows serverless [arstechnica.com]?

        Problem is it doesn't solve SQL access bugs even if you can generate another container the data is still compromised

        Kids today use node.js and frameworks from Azure and Amazon that are secured and unfortunately locked to these platforms.

        Coders should not be security experts. The frameworks should which PHP has shown are not written by such

      • Why do people use php?

    • fyi: saveie6.com yields 404

  • Remember, this is a SJW-infested software project (Score:1, Informative)

    by Anonymous Coward
    It adopted the Contributor Covenant which is tied back to Coraline Ada Ehmke, a psycho tranny who tried to shove it down various entities' throats, including Github. It kicked out Larry Garfield for his personal sexual fetishes and his choice in sex partner. It has "committees" packed with females that are public about their SJW-ness. Drupal and its gross failures is a prime example of the social justice cancer.

    Do not allow codes of conduct in your software projects. Do not allow the physical characteris

  • the open-source CMS built on the PHP programming language

    • it does seem PHP panders to low-talent and lazy developers who make all manner of insecure platforms and modules. A developer who decides to go into PHP is much like a person who joins the band to play the triangle.

      • Wrong. (Score:1)

        by Anonymous Coward

        PHP is my go-to language of choice long before Python, Ruby, Go, NodeJS, Rust, Perl, D, C++, etc. It's a superior platform in the hands of someone who knows what they are doing. No language out there *natively* comes close to touching the power, flexibility, and performance of PHP arrays, which are the ultimate data structure with near-O(1) insert, update, delete, and find operations that keeps the order of elements: The hash table + linked list solution to data management is, quite frankly, brilliant.

        On

        • Nonsense, a company running those multiple systems will have the PHP ones broken into early and often. Web application firewalls will have the most rules devoted to php flaws and exploits. It is the insecure malware ridden choice, and the low wage developers are the ones who work on it. in short, it panders to low watt bulbs and is an attack and malware magnet.

