Drupal Changed Our Lives
It is very rare that something so powerful can change a company overnight. Our long history as a web development company can be defined in single word: "Custom". Custom web designs, custom web programming, and custom web applications. These skills are things that we are most proud to promote. However, a "custom" Website doesn’t have to mean starting from scratch. Today, with the power of the entire contributed Drupal community, things are different. There have been so many advances in Drupal’s open source solutions that it is impossible for any web development company to ignore. The Drupal framework only enhanced our ability to develop custom Websites for our clients. Drupal changed our lives — It opened up new doors for all of us at Nu-Designs and our clients.
What is Drupal?
Drupal is an open source platform for creating a Website. Thousands of web developers world wide use the Drupal platform. Many of these developers have contributed additional functions to the platform. These new functions are contributed to the Drupal community in the form of a Module. A Drupal module is a widget of code that works with the Drupal framework. The module basically plugs into the Website, adds new functionality and can be configured in a variety of ways. Today there is a library of over 8,000 Drupal modules available for any project. As a Drupal developer, Nu-Designs can leverage this module library for the benefit of our customers. We can utilize existing modules or we can make "custom" modules to meet our clients needs. The point is: why do something from scratch when it has already been done before? To find out more information about the Drupal framework, visit the Drupal.org Website.
If you are a Drupal developer be sure to check out our Drupal community site Made With Drupal.
News and Updates from Drupal.org
October 29, 2014
- Advisory ID: DRUPAL-PSA-2014-003
- Project: Drupal core
- Version: 7.x
- Date: 2014-October-29
- Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All
This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Simply updating to Drupal 7.32 will not remove backdoors.
If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.Data and damage control
Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.
Take a look at our help documentation, ”Your Drupal site got hacked, now what”Recovery
Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.
Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.
The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:
- Take the website offline by replacing it with a static HTML page
- Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
- Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
- Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
- Update or patch the restored Drupal core code
- Put the restored and patched/updated website back online
- Manually redo any desired changes made to the website since the date of the restored backup
- Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.
While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.
For more information, please see our FAQ on SA-CORE-2014-005.Written by
- Michael Hess of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Rick Manelius of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.Drupal 7.x
The biggest issues pointed out by the community had to do with the tone of the language in the documents. Many pointed out that it did not match the values of our community. We took a closer look at organizations such as the Wikimedia Foundation and Mozilla, incorporating some of the approaches they took to make our terms a bit more human. We trimmed and shortened what we could. We clarified where things were ambiguous. The end result is much more in line with our community values.
Some examples of changes include the following:
- When possible, we changed the tone of both documents to make them more friendly.
- We removed capital letters and used other means to make specific parts of the document noticeable.
- We deleted a couple of references to collecting data that we do not actually collect.
- We clarified that we won’t block accounts “for any and no reason”, but only in cases of Terms of Service, Code of Conduct and Git access policy violations.
- We clarified active notification of users about material changes to policy. We will send an email at least 72 hours prior to changes going into effect. This will give users time to delete their accounts if they don’t want to accept new policies.
- We added contact info and updated all phone numbers, addresses etc. to be formatted according to international standards.
- We clarified that you don’t need to create an account to access the Website, just some parts of it.
- We clarified how to notify us in case of unauthorized access to user account.
- We clarified how long do we store data after it has been removed from user profile.
We did leave some things from the previous draft without major changes, such as bullet points under section C, for example. And we did it for a reason. One of our goals is to make Drupal.org a place where everyone feels comfortable. Additionally, we have to ensure that Drupal.org is protected if a legal issue does arise. Those bullet points are there not because we want to be able to police or censor the activity on the site. This language exists because it protects Drupal.org if one user takes issue with content from another user. We will still use the process outlined in the Drupal Code of Conduct to resolve any issues whenever we can.
With that in mind, please take a look at the latest drafts:
Thank you for all your help in building these documents.
October 22, 2014
Drupal.org will be affected by maintenance Thursday, October 23rd 14:00 PDT, 21:00 UTC.
An increase of the MySQL innodb_buffer_pool_size will cause a short downtime for Drupal.org while MySQL is restarted. We plan on a 30 minute window of potential instability, though the actual outage should be 5 minutes or less.
Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.
Thanks for your patience!
- 1 of 5