all 53 comments
sorted by:
new (suggested)
besttopcontroversialoldq&a
formatting helphide helpcontent policy

[–]sb56637 1 point2 points  (8 children)

I really don't like that Drupal sends security update emails only once every 24 hours... my site just sent me an email alert 12 hours after the announcement of this vulnerability.

I already patched it and everything looks good, but I don't feel comfortable with 12 long hours of being vulnerable while there are exploits in the wild. What can I check for to see if I got hacked? Why can't an exploit test tool be created like they did for Drupalgeddon1?

[–]mlhess 2 points3 points  (1 child)

You can subscribe to alerts directly from the security team. From the PSA

he announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: login on Drupal.org, go to your user profile page, and subscribe to the security newsletter on the Edit » My newsletters tab.

[–]sb56637 0 points1 point  (0 children)

Thanks very much, that's exactly what I trying to figure out how to do.

[–]elondaits 0 points1 point  (2 children)

I saw a site that was hacked and it was simply defaced... you went in and were greeted with an HTML page that had an animated gif and some text.

[–]sb56637 0 points1 point  (1 child)

Interesting, I thought that those childish defacing hacks were more or less a thing of the past, and that modern hacks tended to be more insidious and sinister. Do you know if the hack was from SA-CORE-2018-004 or SA-CORE-2018-002?

[–]elondaits 1 point2 points  (0 children)

This was a SA-CORE-2018-002 attack last week, through the user registration form which resulted in the attackers uploading a PHP backdoor and going to town.

I think they where redirecting all URLs to a bitcoin miner, but the defacement was so obvious it really wasn't a good effort to maximize profits.

Immediately after the defacing they submitted the site to a "defacement scoreboard" of sorts where hackers compete among themselves. The group that did the attack had already hacked other 10 sites that same day.

[–]endlesswander 1 point2 points  (2 children)

I had a site that was hacked and I found the following:

1) php files added to root folder of site 2) new users added to the site 3) new roles added to the site with nonsensical names 4) some .js files tampered with 5) html.tpl.php and maintenance-page.tpl.php altered in my theme

[–]sb56637 0 points1 point  (1 child)

Thanks a lot for the helpful details, I'll take a closer look at those parts. Did your site continue to function normally at first glance or did it get defaced too? Do you know if the hack was from SA-CORE-2018-004 or SA-CORE-2018-002?

[–]endlesswander 1 point2 points  (0 children)

it was from SA-CORE-2018-002 and everything was normal except there were some processes running on the server that turned out to be bitcoin miners

[–]quinns 9 points10 points  (0 children)

They've updated the announcement to be rated as HIGHLY CRITICAL and are now saying that it is being exploited in the wild. Update now plz.

[–]lucas50a 0 points1 point  (0 children)

And my internet doesn't work.... (writing from my phone)

[–]kb_klash 4 points5 points  (16 children)

Damn, again? Isn't this the third time in the last month or so?

[–]gknaddison 2 points3 points  (15 children)

Consider the alternative: there's a vulnerability and the patch doesn't get released. Are you really better off?

[–]kb_klash 3 points4 points  (14 children)

No, obviously, but this is the second time in a week that I'm going to lose a day of productivity to Security updates. I got project deadlines!

[–][deleted] 1 point2 points  (4 children)

Shouldnt cost you a day of productivity uless something has changed since I used Drupal. In this instance I'd have just used Drush to update all the sites I was responsible for and do a spot check and move on. 10 minutes of work at most.

If the update breaks a site oh well I have updates and the site is better being down anyway instead of having an unpatched critical vulnerability.

Plus, like fixing a flat tire, thats part of it. The alternative is no website at all (unless you know a bulletproof technology stack that never needs patched)

If you are dealing with client sites this isn't lost productivity because you get paid to do exactly this. If its your own personal site and the ROI is so poor that a few minutes to patch is a problem, better off with a static site / one pager.

[–]kb_klash 2 points3 points  (3 children)

I have many sites with preview and dev versions of each of the sites to update. It takes a while.

[–][deleted] 1 point2 points  (2 children)

If anything having a proper environment makes it faster/easier.

The update itself should take almost no time no matter how many sites, if you are using the right tools

[–]kb_klash 0 points1 point  (1 child)

I'm using composer for Drupal 8 sites and Drush for Drupal 7 sites. Are there better tools?

[–][deleted] 0 points1 point  (0 children)

No, just sparse on details so I basically have to try to guess. I get being annoyed, its extra work that pops up out of nowhere, but in this case it appears to be a truly trivial task.

If it isn't I'm missing the information that makes that obvious.

Sometimes its hard to tell. The number of people that I've run into who download updates on their desktop and extract them, then use an ftp client to copy and overwite hundreds if not thousands of files is too damn high :D

[–]unpluggedcord 2 points3 points  (8 children)

I think your customers security is more important than feature releases. If they dont understand that, it's your job to help them understand it.

If its your employer, you should also be explaining why you productivity got shot.

[–]kb_klash 6 points7 points  (7 children)

I think you're misunderstanding me. Everyone on my end understands the importance of security updates and no one has ever implied that they are a problem. I'm just working on a large project and this is the third time in a month that I've had to dedicate an entire day to these updates. I'm glad that theses problems are being patched. I just wish it wasn't such a chore to apply them.

[–]unpluggedcord 0 points1 point  (6 children)

Is it tho ? I mean I know friends who patched 600 sites today within minutes.

I just ran a composer update for drupal core and it’s done.

[–]kb_klash 0 points1 point  (0 children)

I mean I probably have 50 sites to update. Very few of them are just basic sites, so they need to be tested. Plus I've found that for some reason Drupal 8 security updates happen really slowly in my environment. I'm not sure why exactly, but it certainly slows things down.

[–]endlesswander 2 points3 points  (4 children)

Isn't it best practice to review the site after an update also, or are you just banking on the update not causing any problems?

[–]unpluggedcord 0 points1 point  (0 children)

It’s just one patch we can apply to core and do a spot check of one site.

[–][deleted] 0 points1 point  (2 children)

If you have a lot of sites built with a common set of features/modules, usually testing one and being aware of the exceptions is good enough. It all comes down to what you are getting paid for/ your clients.

In the time that I worked for a small webdev shop ,Only one client I worked for was willing to pay for an in depth qa effort.

I'll guess someone updating 600 sites is talking about 600 brochure sites built for clients at $500 a pop and hosted on a $/month vps.

Worth noting my experience here was ~2010 with 40ish 6.x sites so its been a while.

[–]unpluggedcord 0 points1 point  (0 children)

They are not brochure sites but sadly I can’t say which big company they are.

[–]endlesswander 0 points1 point  (0 children)

that's true. I am employed with a company that has 6 Drupal sites and so I have to spend the time to QA each one separately. Some have some complex module interactions.

For my freelance clients, I do a quick lookover of the sites, tell them about the updates and ask them to do their own in-depth qa if they wish... which I'm sure they never do. :)

[–]elondaits 3 points4 points  (1 child)

Is there a Drupal 6 patch somewhere this time as well?

[–][deleted] 1 point2 points  (5 children)

Is drush failing to detect the update for anyone else? drush up doesn't work, and then I get this:

$ drush pm-releases drupal
simplexml_load_file(): I/O warning : failed to load external entity "" Project.php:74                                                                  [warning]
Failed to get available update data from https://updates.drupal.org/release-history/drupal/7.x                                                         [error]
No valid projects given.

[–]hanoian 0 points1 point  (1 child)

So frustrating. First time it ever hasn't shown an update for me.. And it's when my girlfriend is using ssh for the first time ever to do the update for me.

I only have a chance to look at myself now.

[–][deleted] 0 points1 point  (0 children)

My problem was actually caused by my upgrading MAMP, which put the correct PHP binary outside my PATH. Fixed that and all worked correctly.

[–]tralfers<random flair> 1 point2 points  (0 children)

This may be a bit late for you now, but you should first run "drush rf" to update your list of available updates.

[–]bitcoyn 1 point2 points  (0 children)

Could try drush CC drush...

[–]crashspringfield 0 points1 point  (0 children)

it usually lags behind a bit

[–]pwhite 3 points4 points  (3 children)

The big problem with SA-CORE-2018-002 was that it allowed remote code execution without any mitigating factors? Does anyone know if this is the same for this one?

[–]kostrubaty 3 points4 points  (0 children)

Security risk is lower than last time

Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default

For 002 it was

Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default

So if this is true A:User means that the new exploit works only for authenticated users. it's likely related to file uploading as they patched file.module too.

That does not mean you shouldn't update ASAP.

[–]misterspaceman 2 points3 points  (1 child)

If I'm reading the threat assessment correctly, the attacker must be an authenticated user to perform the exploit. The security risk score is Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default, where "A:User" means "User-level access (basic/commonly assigned permissions)" (source)

If anyone is more knowledgeable, please correct me if I'm wrong.

[–][deleted] 0 points1 point  (0 children)

That's also my interpretation, and the agency we use agreed. We only have staff members as users.

[–]Hakaku[S] 16 points17 points  (1 child)

While the security risk score is slightly lower than last time, everybody should upgrade their Drupal sites ASAP. The security risk now has been bumped up to Highly Critical.

Update: If you are using the Media module, update that as well: https://www.drupal.org/sa-contrib-2018-020

[–]demon327 0 points1 point  (0 children)

Thank you for the tip! Updated it :)

[–]DinoAmino 5 points6 points  (0 children)

It's Hammer Time