Re: Re: Security support for CMSes
On Mon, Oct 8, 2012 at 12:18 AM, Peter Viskup <skupko.sk@gmail.com> wrote:
Overlooked it was not sent to debian-user list.
…
I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.
In my experience, this correlation is good enough to reasonably assume causation.
When a website is compromised, and the software running the website has known vulnerabilities, there is rarely any need to look further. Such attacks are usually automated or semi-automated.
You can reduce the problems somewhat by using ModSecurity, and disallowing a bunch of PHP functions (eval, system, etc.) that many components/extensions/modules/plugins/themes seem to find useful.
This is not always practical, for instance when you use a third party webhost which does not offer these options, or when you do not have the know-how to configure these right.
I suspect that for software like Drupal, using a secondary package manager such as Portage may actually be better for the sysadmin.
--
Jan
Reply to: