Drupal modules vulnerability, THE third party plugins issue (again)Author: Bernard Sfez -
Drupal is calling upon its users to patch a dangerous remote code execution hole that can easily let attackers hijack sites. The content management system has some 15 million downloads, compared to WordPress with 140 million and Joomla with 30 million. Drupal is deployed on big ticket and business sites including nine percent of the world’s 10,000 most popular sites.
If Drupal core is not affected and not all sites will be impacted, the issue is again raising the question about third-party modules/plugins/add-ons that are not part of the core (code) but may cause significant damage to the project itself, your users, your business, all your hard work.... It is critical to review published advisories (July 12 2016) to determine if any modules you currently use have been flagged up.
Affected modules include the RESTWS module which is used to create Rest APIs and is installed on as many 5804 sites. The remote code execution flaw was found by Devin Zuczek (@djdevin) and is rated highly critical.
The Coder module used by at least 4951 sites for code analysis is also negatively impacted by the remote code execution flaw, discovered by an NCC researcher Nick Bloor (@nickstadb) and has since been rated highly critical because it does not need to be enabled for someone to exploit it.
Webform Multiple File Upload module is the last concerned module which some 3076 sites use to collect files from users. This critical flaw was discovered by Australian Drupal security man Ben Dougherty(@_benjy1).
Furthermore, an attacker needs to be able to submit a web form with specifically crafted input and, depending on the site's configuration, this might require authentication. Since there exists mitigating factors that could limit the flaw's impact, it was only rated as critical.
You may feel that you are unaffected by these vulnerabilities on your own system or portal, but there are at this time thousands of machines (generally based is Asia and East-Europe) that are harvesting petabytes of data to be investigated for future use, indirect attack or even to acquire and improve penetration tools and skills. The extraordinary Panama Papers leak from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world's richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular Content Management Systems: Drupal and WordPress.
Drupal has more than 30,000 developers who have contributed more than 33,000 modules.
Is that not a significant number of modules ! Isn’t that great ?
Using third party plugins cannot be considered a minor question while you are evaluating the best solution to build your website or web app. If the first concern may be summarized by "does it work as promised" the second coming right before production is "do all the plugins work together in harmony". You may think once it is working, if it is working, that after one or two workarounds you’ve gotten it done. This is not true ! Third party plugin usage is an important decision with consequences that will be felt more and more as time goes by. Inevitably the core system will evolve and there will be upgrades. User behaviour will evolve and change as well as regular interaction and devices are modified. You will depend on the goodwill (or business health) of the developer (95% of the case it is a single person) of the plugin to update it to adapt to the changes that occur. You will have to depend on the time they have to allot for this particular plugin if they are still willing to maintain it.
I like interaction, but I tend to feel more comfortable without third party plugins or modules when possible. This is one (with real multilingual features including right-to-left feature) of the reasons I started to use Tiki Wiki and I stick to it. Relying on this solid open-source CMS and webapp builder, I managed hundreds of projects and committed myself to the code so I became a Tiki Wiki specialist, release manager and admin.
I’m not the kind to say, "''just do it the way I do it'". I just hope I have raised the concern about the way you want to think about third-party plugins. I invite you to study the question, search and look for other opinions. Choose what is the best fit, by looking at all aspects of the question.