Thousands of websites running one of the world's most popular open source web content management systems (CMS) may have been compromised by a "highly critical" security flaw.

The team at Drupal acknowledged last week that a vulnerability that affected every site running Drupal 7 was about as bad as it could get — and that websites that did not update or patch promptly should probably assume the worst.

"If you did not update your site within seven hours of the bug being announced, we consider it likely your site was already compromised," the team noted in a security announcement.

Quick Update Needed

The issue began Oct. 15, when the Drupal security team announced that sites running Drupal 7 left were highly vulnerable to SQL Injection (SQLi).  

SQLi is an attack that exploits a security vulnerability in the database layer of an application (such as
queries). Using SQL injection, the attacker can extract or manipulate the web application data.

Specifically, the Drupal team noted, a vulnerability in Drupal 7's database abstraction API could enable hackers to gain access to the databases of those sites.

Drupal powers about 2.7 percent of the world's websites, behind only WordPress (47 percent) and Joomla (10.5 percent), according to BuiltWith, a website profiler tool. BuiltWith estimates 266,556 websites are currently using Drupal 7. 

However, Drupal itself reports 1,133,026 total Drupal sites, with 953,428 of those on Drupal 7. 

Another Report

Drupal officials followed their original security warning with an update two weeks later — and the news got worse.

Websites that were not updated or patched within seven hours of the initial security warning "should proceed under the assumption" they were compromised. And simply updating to Drupal 7.32 will not eliminate the risks.

The vulnerability hit home for Acquia, which provides open cloud hosting, developer tools and support for Drupal. The Burlington, Mass. Web CMS provider just last month was named a leader by Gartner in its Magic Quadrant for Web Content Management. 

Acquia, according to an Oct. 31 blog post, deployed a platform-wide shield that it claims protected all of its customer sites hosted on Acquia Cloud "from the moment the security announcement was issued."

Sites powered on the Acquia Cloud Platform remained "100 percent functional for visitors and content editors at all times and no site availability or performance was ever compromised," according to Christopher Rogers, Acquia senior public relations manager and blog post author.  

Will O'Keeffe, Acquia's vice president of global support, told CMSWire today that Acquia has more than 4,000 customers worldwide who rely on Drupal.

Learning Opportunities

"The Acquia Cloud Platform allowed us to seamlessly implement the fix for our customers without causing any downtime or service interruption," he said. "The Drupal security team worked quickly to develop a solution and advise users promptly to the vulnerability and the remedy. They work fast and with discretion to create solutions to vulnerabilities before they can be exploited. The Drupal security team includes representatives from Acquia and several other companies that provide Drupal hosting and distribution."

Acquia and other leading Drupal hosts, including Pantheon and BlackMesh, issued quick fixes for their customers. But thousands of other Drupal 7 sites, hosted by smaller companies, were likely less protected.

It's Not Only Drupal

The lesson for Drupal users? Remain up-to-date on the latest Drupal core updates and security fixes, O'Keeffe said.

"If a site falls behind in these updates," he said, "it may compromise the ability to remain protected and impair a user’s ability to respond quickly to an imminent threat."

Asked if he would consider these types of attacks to Drupal rare, O'Keeffe said, "We don’t have evidence that it's targeted by hackers more than other software programs." 

Recent research seems to support his claim. Just last month, Imperva, an IT security firm, announced that WordPress — the world's most popular CMS — is also the most attacked.

According to Imperva's 5th annual Web Application Attack Report (WAAR), websites running WordPress were attacked 24.1 percent more than websites running on all other CMS platforms combined. In addition, WordPress suffers 60 percent more Cross Site Scripting (XSS) incidents than all other CMS-running websites combined.

The report noted: 

WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet."

Imperva's suggestions:

  • Deploy security solutions that mitigate against automated attacks.
  • Detect and block attacks that target known vulnerabilities.
  • Acquire intelligence on malicious sources and apply this intelligence in real time.
  • Participate in a security community and share threat intelligence
  • Security procedures and solutions should be as automated as possible, since attack volume is too overwhelming for humans to monitor, and typically, there will be no advance warning of an attack 

Title image by Gábor Hojtsy (Flickr) via a CC BY-NC-SA 2.0 license.