“The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a ‘Man In the Middle’ attack or sniffing software, which is outside of Drupal and presents a much bigger problem.
The Drupal Security team provides an easy way to report issues by sending emails to firstname.lastname@example.org, and we will credit researchers with all issues they report in this manner. No formal report of this issue was filed directly with our team. We encourage all researchers to follow the practice of responsible disclosure, and report directly to our team to ensure both that we can provide public credit for authentic vulnerabilities, and keep our users as secure as possible.”
Drupal has been steadily growing in popularity among live “dot gov” domains. According to one analysis, it powers nearly twice as many of those .gov domains as all other CMSs combined — though 93% of those run no detectable CMS. The analysis is currently being updated.
Ubuntu Lucid ships with PHP disabled for user directories. That’s a sensible security default, but it won’t allow your developers to get their work done. And if you’re working with Drupal, you’ll need all the steps listed here.
First, you’ll need to install Apache:
sudo apt-get install apache2
Then the compiled PHP binary (or “shared object” in Apache lingo):
sudo apt-get install php5
You may need to do
sudo /etc/init.d/apache2 restart or
sudo service apache2 restart to have it pick up the updated configuration file that loads the PHP5 module. Try visiting your own box at “localhost” to see if you get a nice “welcome” page. You can put an “
info.php” file in
/var/www to test if PHP is working (the contents of your info.php file are simply
<?php phpinfo(); ?>), and visit that in your browser.
Once you’ve gotten PHP running under Apache, edit
/etc/apache2/mods-available/php5.conf and comment out the lines as instructed:
<IfModule mod_php5.c> <FilesMatch "\.ph(p3?|tml)$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> # To re-enable php in user directories comment the following lines # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it # prevents .htaccess files from disabling it. # <IfModule mod_userdir.c> # <Directory /home/*/public_html> # php_admin_value engine Off # </Directory> # </IfModule> </IfModule>
If you’re developing with Drupal, the following step may also be necessary: In
/etc/apache2/mods-available/userdir.conf, you should allow Drupal’s local
.htaccess file to override the Apache-wide configuration file, with:
(...) <Directory /home/*/public_html> AllowOverride All #AllowOverride FileInfo AuthConfig Limit Indexes #Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec (...)
Restart Apache with
sudo /etc/init.d/apache2 restart and you might be done!
Ever seen this when in Drupal’s administration pages?
Fatal error: Cannot redeclare getnodecount() (previously declared in /var/www/sites/site.org/htdocs/includes/common.inc(1685) : eval()'d code:3) in /var/www/sites/site.org/htdocs/includes/common.inc(1685) : eval()'d code on line 9
There are a few causes for this, as mentioned on drupal.org, but the one in which you might be interested (because your error message looks more similar to mine, above, than to the drupal.org documentation) is when PHP is actually contained in a block or node body. That’s something you should suspect if you see the above error message referring to PHP’s
To fix this, do something in MySQL like
WHERE body LIKE '%getnodecount%';
And edit the offending nodes in Drupal with a URL such as
The biggest problem is that he claims that Drupal is impenetrable, which it is. For many beginners, it has a steep learning curve. But he never makes the connection; why do your site visitors care? If millions of them appear, and your site continues to work well in response because it was built with a solid operational foundation instead of being built with something that has a cute-but-heavy GUI on the backend, don’t they benefit? It looks to me like Chris has unfortunately conflated the needs of end-users with the needs of site developers.
Also, I’d like to take my hat off to the organization that landed the $18M contract to migrate recovery.gov into Sharepoint. That’s a lot of money for a site built using tables in HTML and containing leftover hidden cruft like “this Web Part Page has been personalized. As a result, one or more Web Part properties may contain confidential information. Make sure the properties contain information that is safe for others to read. After exporting this Web Part…”