Editing Drupal (section)

==Security==
Drupal's policy is to announce the nature of each security vulnerability once the fix is released.<ref>{{Cite web | url=https://drupal.org/security-team | title=Security announcement and release process| author=Drupal| date=October 2005}}</ref><ref>{{Cite web | url=https://drupal.org/security-team/report-issue | title=How to report a security issue| author=Drupal}}</ref>

Administrators of Drupal sites can be automatically notified of these new releases via the Update Status module (Drupal 6) or via the Update Manager (Drupal 7).<ref>{{Cite web | url=http://drupal.org/documentation/modules/update | title=Update manager (and Update status) | work=drupal.org | access-date=1 July 2011}}</ref>

Drupal maintains a security announcement mailing list, a history of all security advisories, a security team home page, and an RSS feed with the most recent security advisories.<ref name="security">{{Cite web|url=http://drupal.org/security|title=Security advisories|work=drupal.org|access-date=28 April 2009}}</ref><ref>{{Cite web | url=http://drupal.org/security-team | title=Drupal security team| date=October 2005|publisher=Drupal.org | access-date=31 August 2011}}</ref><ref>{{Cite web | url=http://drupal.org/security/rss.xml | title=Drupal Security RSS feed|publisher=Drupal.org | access-date=31 August 2011}}</ref>

In mid-October 2014, Drupal issued a "highly critical" security advisory regarding an [[SQL injection]] bug in Drupal 7, also known as Drupalgeddon.<ref>{{Cite web |last=Leyden |first=John |date=3 November 2014 |title=Drupal megaflaw raises questions over CMS bods' crisis mgmt |url=https://www.theregister.com/2014/11/03/drupal_drupalgeddon_analysis/ |website=www.theregister.com}}</ref><ref>{{cite web|url=https://www.drupal.org/SA-CORE-2014-005|title=SA-CORE-2014-005 - Drupal core - SQL injection|work=Security advisories|date=15 October 2014 |publisher=Drupal security team}}</ref><ref>{{cite web|url=https://www.drop-guard.net/blog/drupalgeddon-panama-papers|work=Blog|publisher=Drop Guard|title=Drupalgeddon strikes back: outdated Drupal allegedly linked to "Panama Papers"|access-date=13 July 2016|archive-date=11 June 2016|archive-url=https://web.archive.org/web/20160611201911/http://www.drop-guard.net/blog/drupalgeddon-panama-papers|url-status=dead}}</ref> Downloading and installing an upgrade to Drupal 7.32 fixes the vulnerability, but does not remove any [[backdoor (computing)|backdoor]] installed by hackers if the site has already been [[exploit (computer security)|compromised]].<ref>{{cite web|url=https://www.drupal.org/PSA-2014-003|title=Drupal Core&mdash;Highly Critical&mdash;Public Service Announcement&mdash;PSA-2014-003|date=29 October 2014|work=Security advisories|publisher=Drupal security team|quote=<p>You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.</p><p>'''Simply updating to Drupal 7.32 will not remove backdoors'''....updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.</p>|via=Drupal.org}}</ref> Attacks began soon after the vulnerability was announced. According to the Drupal security team, where a site was not patched within hours of the announcement, it should be considered compromised and taken offline by being replaced with a static HTML page while the administrator of its server must be told that other sites on the same server may also have been compromised. To solve the problem, the site must be restored using backups from before 15 October, be patched and manually updated, and anything merged from the site must be audited.<ref>{{Cite web|url=https://gcn.com/blogs/cybereye/2014/11/open-source-attacks.aspx|title=Attacks on open source call for better software design -|last=Robinson|first=Brian|date=7 November 2014|website=GCN|access-date=29 July 2016|archive-date=18 August 2016|archive-url=https://web.archive.org/web/20160818211205/https://gcn.com/blogs/cybereye/2014/11/open-source-attacks.aspx|url-status=dead}}</ref>

In late March 2018, a patch for vulnerability CVE-2018-7600, also dubbed ''Drupalgeddon2'', was released. The underlying bug allows remote attackers without special roles or permissions to take complete control of Drupal 6, 7, and 8 sites.<ref>{{Cite web|url=https://dropsolid.com/en/blog/how-we-installed-drupal-security-patch-1300-sites-stress-free|title=How we installed a Drupal security patch on 1300 sites, stress-free!|website=Dropsolid|date=4 April 2018 |access-date=11 March 2019}}</ref><ref>{{cite web|title=FAQ about SA-CORE-2018-002|url=https://groups.drupal.org/security/faq-2018-002|publisher=Drupal Security Team|access-date=23 April 2018}}</ref> Drupal 6 reached end-of-life on 24 February 2016, and does not get official security updates (extended support is available from two paid Long Term Services Vendors).<ref>{{Cite web|date=9 November 2015|title=Drupal 6 end-of-life announcement|url=https://www.drupal.org/forum/general/news-and-announcements/2015-11-09/drupal-6-end-of-life-announcement|access-date=1 May 2021|website=Drupal.org}}</ref> Starting early April, large scale automated attacks against vulnerable sites were observed, and on 20 April, a high level of penetration of unpatched sites was reported.<ref>{{cite news|last1=Goddin|first1=Dan|title="Drupalgeddon2" touches off arms race to mass-exploit powerful Web servers|url=https://arstechnica.com/information-technology/2018/04/drupalgeddon2-touches-off-arms-race-to-mass-exploit-powerful-web-servers/|access-date=23 April 2018|publisher=[[Ars Technica]]|date=20 April 2018}}</ref>

On 23 December 2019, Drupal patched an arbitrary file upload flaw. The file-upload flaw affects Drupal 8.8.x before 8.8.1 and 8.7.x before 8.7.11, and the vulnerability is listed as moderately critical by Drupal.<ref>{{Cite web|url=https://duo.com/decipher/drupal-patches-arbitrary-file-upload-flaw|title=Drupal Patches Arbitrary File Upload Flaw|website=Decipher|date=23 December 2019 |access-date=23 December 2019}}</ref><ref>{{Cite web|url=https://www.drupal.org/sa-core-2019-009|title=Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009|date=18 December 2019|website=Drupal.org|access-date=23 December 2019}}</ref>

In September 2022, Drupal announced two security advisories for a severe vulnerability in Twig for users of Drupal 9.3 and 9.4.<ref>{{Cite web |last=Montti |first=Roger |date=1 October 2022 |title=Drupal Warns of Critical High Severity Vulnerability |url=https://www.searchenginejournal.com/drupal-critical-vulnerability/466647/ |access-date=11 October 2022 |website=Search Engine Journal |language=en}}</ref> That week, Drupal also announced a patch for the S3 File System to fix an access bypass issue.<ref name=":5" />

In January 2023, Drupal announced software updates to resolve four vulnerabilities in Drupal core and three plugins.<ref>{{Cite web |last=Arghire |first=Ionut |date=20 January 2023 |title=Drupal Patches Vulnerabilities Leading to Information Disclosure |url=https://www.securityweek.com/drupal-patches-vulnerabilities-leading-information-disclosure |access-date=20 January 2023 |website=www.securityweek.com}}</ref>