The latest version of Drupal has a ton of great features for site builders and administrators, an object-oriented backend, and a Twig-based templating system. We're here to make sure you navigate this territory with confidence. We have the most accurate and up-to-date Drupal material you can find. With new versions of core coming out every 6 months, you can count on us to. If you’ve spent any time on the internet then you have come across a Drupal-driven site. In theory, Drupal is a Content Management System (CMS). But in practice, Drupal is much more than that. Drupal can power: Blog sites. Ecommerce sites. Corporate sties. Resource directories. Collaboration tools. Image galleries. DrupalCon is brought to you by the Drupal Association with support from our generous sponsors and an amazing team of contributors. Built on COD v.7, the open source conference and event management solution. Creative design by sixeleven. DrupalCon is copyright 2021. Drupal Wiki Drupal Contributed modules Social API Social API 2.x Social Auth 2.x Celebrate 20 years of Drupal with us! April is DrupalFest, a month-long series of virtual events focused on community, contribution, and the positive impacts made possible with Drupal.
Sites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned Wednesday.
CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.
'Some field types do not properly sanitize data from non-form sources,' the advisory stated. 'This can lead to arbitrary PHP code execution in some cases.'
For a site to be vulnerable, one of the following conditions must be met:
- It has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests or
- It has another Web-services module enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7
Project managers are urging administrators of vulnerable websites to update at once. For sites running version 8.6.x, this involves upgrading to 8.6.10 and sites running 8.5.x or earlier upgrading to 8.5.11. Sites must also install any available security updates for contributed projects after updating the Drupal core. No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.Advertisement
Popular hacking target
Drupal is the third most-widely used CMS behind WordPress and Joomla. Drupal project leaders said the CMS as of this month was used by about 1.2 million sites, but they also say the estimate is 'incomplete.' Outside sources, for example here and here, calculate Drupal's usage is anywhere from 3 percent to 4 percent of all websites that run on CMSes. CVE-2019-6340 only affects an unknown subset of Drupal sites that project officials were unable to estimate.
While the precise figure is unknown, vulnerable Drupal sites number in the thousands, tens of thousands or possibly hundreds of thousands. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.In 2014 and again last year, hackers wasted no time exploiting extremely critical code-execution vulnerabilities shortly after they were fixed by Drupal project leaders. Last year's 'Drupalgeddon2' vulnerability was still being exploited six weeks after it was patched, an indication that many sites that run on Drupal failed to heed the urgent advice to patch.
At the time this post was going live, there were no reports of the latest Drupal vulnerability being actively exploited in the wild. On Friday, researchers detected signs hackers were scanning the Internet for potentially vulnerable sites, an indication that active exploit attempts may follow.
This post was updated to remove estimates that millions of sites are vulnerable. As explained in the fourth- and fifth-to last paragraphs, the number is unknown, but is almost certainly less than that.
One of our newer Enterprise customers recently migrated to Pantheon for a number of reasons; they were struggling with slow performance, downtime and lack of Drupal expertise from their existing vendor. One way we address these challenges is through our 30-day Launch Concierge process, available to all new Enterprise customers.
As part of the Launch Concierge, Pantheon performs an extensive review of the site - both static and manual analysis for best practices and performance concerns, along with load testing. Extensive, actionable reports are provided including recommendations for improving the site and ensuring a smooth site launch.
A concern that we identified during this particular launch was the database was being used as Drupal's cache, and operations were happening at such a high volume and concurrency that even clearing the cache would take the entire site offline for minutes during peak traffic.
We recommended they switch caching to use redis as a drop-in replacement for caching, which Pantheon provides as a service on most plans. Redis (now known as Object Cache on Pantheon) is optimized for high performance storage and retrieval, and the installation process takes just moments.
The results were dramatic, and I've included some graphs from New Relic to show the difference. First, the most time consuming queries on the site; you can see when that overhead went away.
In the throughput graph, which combines every queries across the site, not just the top five, the difference is even more apparent - there's a much lower number of queries. The database response time itself didn't change, meaning that the volume greatly reduced while the each query time stayed the same.
Similarly, the application server response time shows a similar story. The PHP execution (in blue) took the same amount of time, but the volume of database operations (orange) dropped.
So, there you have it. Limiting database operations to actual data and using redis a caching backend reduces overhead and improves performance. If you're interested in Launch Concierge and our Enterprise offerings, contact us today!