How do they receive vulnerability report ahead of general public? From whom?
Cary
On Friday, October 31, 2014, Lin, Kun <[log in to unmask]> wrote:
> If you are using drupal as main website, consider using Cloudflare Pro.
> It's just $20 a month and worth it. They'll help block most attacks. And
> they usually receive vulnerability report ahead of general public.
>
> Kun
>
> -----Original Message-----
> From: Code for Libraries [mailto:[log in to unmask] <javascript:;>]
> On Behalf Of Cary Gordon
> Sent: Friday, October 31, 2014 9:59 AM
> To: [log in to unmask] <javascript:;>
> Subject: Re: [CODE4LIB] Terrible Drupal vulnerability
>
> This is what I posted to the Drupal4Lib list:
>
> --------------------
>
> By now, you should have seen https://www.drupal.org/PSA-2014-003 and
> heard about the "Drupageddon" exploits. and you may be wondering if you
> were vulnerable or iff you were hit by this, how you can tell and what you
> should do. Drupageddon affects Drupal 7, Drupal 8 and, if you use the DBTNG
> module, Drupal 6.
>
> The general recommendation is that if you do not know or are unsure of
> your server's security and you did not either update to Drupal 7.32 or
> apply the patch within a few hours of the notice, you should assume that
> your site (and server) was hacked and you should restore everything to a
> backup from before October 15th or earlier. If your manage your server and
> you have any doubts about your file security, you should restore that to a
> pre 10/15 image, as well or do a reinstall of your server software.
>
> I know this sounds drastic, and I know that not everyone will do that.
> There are some tests you can run on your server, but they can only verify
> the hacks that have been identified.
>
> At MPOW, we enforce file security on our production servers. Our
> deployments are scripted in our continuous integration system, and only
> that system can write files outside of the temporal file directory (e.g.
> /sites/site-name/files). We also forbid executables in the temporal file
> system. This prevents many exploits related to this issue.
>
> Of course, the attack itself is on the database, so even if the file
> system is not compromised, the attacker could, for example, get admin
> access to the site by creating an account, making it an admin, and sending
> themselves a password. While they need a valid email address to set the
> password, they would likely change that as soon as they were in.
>
> Some resources:
> https://www.drupal.org/PSA-2014-003
>
> https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement
>
> http://drupal.stackexchange.com/questions/133996/drupal-sa-core-2014-005-how-to-tell-if-my-server-sites-were-compromised
>
> I won't attempt to outline every audit technique here, but if you have any
> questions, please ask them.
>
> The takeaway from this incident, is that while Drupal has a great security
> team and community, it is incumbent upon site owners and admins to pay
> attention. Most Drupal security issues are only exploitable by privileged
> users, and admins need to be careful and read every security notice. If a
> vulnerability is publicly exploitable, you must take action immediately.
>
> Thanks,
>
> Cary
>
> On Thu, Oct 30, 2014 at 5:24 PM, Dan Scott <[log in to unmask]
> <javascript:;>> wrote:
>
> > Via lwn.net, I came across https://www.drupal.org/PSA-2014-003 and my
> > heart
> > sank:
> >
> > """
> > Automated attacks began compromising Drupal 7 websites that were not
> > patched or updated to Drupal 7.32 within hours of the announcement of
> > SA-CORE-2014-005
> > - <https://www.drupal.org/SA-CORE-2014-005>Drupal
> > <https://www.drupal.org/SA-CORE-2014-005> core - SQL injection
> > <https://www.drupal.org/SA-CORE-2014-005>. You should proceed under
> > the assumption that every Drupal 7 website was compromised unless
> > updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the
> announcement.
> > """
> >
> > That's about as bad as it gets, folks.
> >
>
>
>
> --
> Cary Gordon
> The Cherry Hill Company
> http://chillco.com
>
--
Cary Gordon
The Cherry Hill Company
http://chillco.com
|