The Drupal project, which manages development of the content management system of the same name, reset passwords for nearly 1 million users on May 29 after its security team discovered that the site had been compromised using a vulnerability in a third-party application.
The project’s security team found suspicious files during a security audit, which they continue to analyze, but decided to notify Drupal users that their information may have been leaked, Holly Ross, the executive director of the Drupal Association, said in a blog post. The information exposed by the breach included user names, e-mail addresses and hashed passwords, she said.
“Upon discovering the files during a security audit, we shut down the association.drupal.org Website to mitigate any possible ongoing security issues related to the files,” she wrote. “The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”
Online attackers’ focus on Drupal is unsurprising. At least two other open-source content management platforms—WordPress and Joomla—have been targeted by attackers intent on creating botnets out of high-bandwidth Web servers from which they can launch large distributed denial-of-service attacks against other sites. Among the high-profile sites that use Drupal are the Websites of the White House and the Economist. The project does not believe that any of its code has been impacted by the compromise.
“We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org,” Ross said. “Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls.”
In its 2011 Annual Report, the Drupal Association, which supports development of Drupal, said it had more than 800,000 users, 16,000 developers and more than 1 million sites using Drupal.
The open-source project has taken a number of steps to better secure its infrastructure following the attacks, including rebuilding its servers and adding grsec kernel extensions to harden the Linux operating system. It also further hardened the Apache Web configurations and scanned the infrastructure with antivirus scanners. The group stressed that the attack was made possible through a flaw in a third-party application that had been publicly disclosed, not because of a vulnerability in Drupal.
“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” Ross wrote. “We are still investigating and will share more detail when it is appropriate.”
Yet because the attack exploited an authorized application, Drupal needs to do more, Chris Wysopal, co-founder and chief technology officer of application-security firm Veracode, told eWEEK. Drupal should have boosted the security of its site because of the likelihood that attackers would target its systems, he said. In addition, in revising its security measures, the project should implement defenses designed to stop vulnerabilities in authorized code, because that is the way attackers breached its systems.
“A lot of the things they are doing is detecting software that is not supposed to be running on the system,” he said. “But who knows what this third-party software was doing. It may have had been an administrative console and so had administrative access to the server. They have not put a control in place specifically addressing the problem that they had, which is running vulnerable software or not keeping that up-to-date.”
The Drupal project plans to issue more technical details when it has finished its analysis of the attack.