Content Management System Flaw Leaves 1 Million Websites Vulnerable

Domains Operated by North Korean Hackers Are Taken Down

A vulnerability discovered in a popular CMS (content management system), Drupal, could leave some 1 million websites exposed to attack, if left unpatched.

LaLabeledy Drupal’s own developers as “highly critical”, the vulnerability allows various attack points that could enable hackers to gain complete control of a website. The vulnerability affects a number of versions including Drupal 6.x, Drupal 7.x and Drupal 8.x.

The CMS is a crucial component of a website that serves as a database to store and manage all digital input including images, photos, articles and more. A CMS fundamentally helps the website figure among major search engines like Google, Yahoo and Bing. Drupal is among a number of popular content management system such as Joomla, Kentico, WordPress and more.

According to research from BuiltWith, 37 percent of websites using a CMS rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. Drupal powers some 928,443 websites while WordPress backs nearly 20 million websites or 5.3 percent of the entire internet.

The vulnerability, dubbed SA-CORE-2018-002, was discovered by Jasper Mattsson of Druid, a development house during a routine Drupal security audit. While the Drupal team didn’t delve into specifics, the researchers do admit that hackers could compromise a Drupal-based website.

The vulnerability, according to the company’s own in-house scoring system covers:

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team stated. “The Security Team strongly recommends that the best solution is for sites to upgrade.”

Image credit: LIFARS archive.