[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Khalid Baheyeldin
kb at 2bits.com
Thu Mar 29 12:22:27 EDT 2018
Well, if the fixed version is released, then by definition the
vulnerability is disclosed to those who have the motivation to exploit it.
Here is an example from 2014, Drupalgeddon.
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql
And here is the followup PSA two weeks after
https://www.drupal.org/forum/newsletters/security-public-service-announcements/2014-10-29/drupal-core-highly-critical
The fix was a single line:
https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
Anyone can diff the previous version to the new version and infer what the
problem is, and write an exploit for it. And that is exactly what happened.
On Thu, Mar 29, 2018 at 11:12 AM, Chris Irwin <chris at chrisirwin.ca> wrote:
> On Wed, Mar 28, 2018 at 10:51 PM, Bob Jonkman <bjonkman at sobac.com> wrote:
>
>> Khalid wrote:
>> > The FAQ is intentionally vague to make it hard(er) for exploiters.
>>
>> Not meaning to pile on Khalid, but that hardly seems like "full
>> disclosure" to me.
>>
>
> I have no experience with Drupal, or their history of disclosure, but I
> think this kind of partial disclosure is common for serious vulnerabilities.
>
> But I like the model that Gitlab uses. They release security updates
> immediately, referencing the appropriate CVEs, but wait 30 days for full
> disclosure. Not that exploits will take 30 days to reverse-engineer, but it
> at least should give a chance to have patched systems out there.
>
> In the case of a super-serious flaw, they've gone as far as announcing
> ahead of time that the release is coming out at XX time on YY day, and be
> prepared to upgrade. For example:
>
> https://about.gitlab.com/2018/01/12/gitlab-critical-release-
> preannouncement/
>
> --
> Chris Irwin
> <chris at chrisirwin.ca>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180329/aa61beb7/attachment.htm>
More information about the kwlug-disc
mailing list