Drupal – one of the most famous and popular open CMS in PHP. CMS itself is built on the right approach and with an eye to safety guideline. CMS Drupal in its architecture is a very secure system, kernel and module security fixes come out quickly, and hacking it through holes is not so easy.
Drupal is reliable in itself. Only using unverified modules, programmer errors, creating their own modules for the site, also server configuration errors or non-compliance with the Drupal Security foundations can be the reason for the hacking.
By the way, very often the Drupal Security group issues security news with a critical level of vulnerability. Therefore, Drupal is safe for the time being, until a new version comes out, in which the removed vulnerability will be revealed to all hackers. Often sites on Drupal that are not updated immediately after the release of the security update are under attack by hackers.
As with other CMS, most of the vulnerabilities come out of various plugins, themes and other custom functions. It is most convenient to have a tool that shows the versions of Drupal and its components. Knowing them, you can search for known vulnerabilities.
Usually, vulnerabilities are detected by bots – programs that are written by hackers to search Internet sites on different CMS. Bots perform basic actions, for example, try to register or enter the admin 11111 password and other more complex actions. In case the site does have a vulnerability, the bot implements the program and sends information to the hacker database of broken sites, then the attacker can perform illegal actions if your site is profitable, for example, has a high attendance.
But now we will talk about the vulnerability of another kind, namely about the stupidity, oversights and disorder of those web developers, who gives an access to the input format “PHP Code” for anonymous and other users. And it allows you to run any php code without having access to the site admin area. In all instructions for Drupal Security write to be careful with the built-in module “PHP Code” andl not to permit access to it to strangers, and even less to unauthorized visitors. But, as we will see, these requirements are often neglected…
To search for vulnerable sites running on Drupal, will help us all-powerful Google. Its search operators allow you to find sites for many, very interesting parameters. We will look for indexed pages for editing materials, where one (or only) input filter is “PHP code”.
1. The page URL must contain “node” and “edit”;
2. The page in the text should mention the phrase “You may post PHP code”.
The “inurl” operator, which allows us to find sites containing certain words in the URL, will help us in this, in our case this is “node” and “edit”.
A search for these criteria is performed by the line: inurl:node inurl:edit “You may post PHP code”
Next you will see a list of vulnerable sites running on Drupal. Obviously, many of them have already been used by spammers.
What to do with it to protect your Drupal website? Pour the shell, spam the site, scan the server.
How to protect yourself from this? Disable the “PHP Code” module. If this can not be done at all, then limit the rights to it to a minimum of people, preferably only to the chief administrator.
So don’t commit such nonsense, keep your kernel and modules up-to-date and your site will be safe!