Made to Order Software Corporation Logo

How to bypass Drupal strong security?

Interestingly enough, today I received a Security Advisory from Drupal saying that users received an email from a hacker asking them to install a Trojan module on their Drupal system.

I find it quite interesting since, if Drupal wasn't secure, the hackers would not have to ask you to make it unsecure, would they?

However, this shows how many CMS systems introduce a security issue problem to your web server installation since it is required to let your web server execute any one PHP file...

All the files installed on your web server and that are directly accessible from the outside (i.e. http://www.m2osw.com/this-file.html) are at risk unless you specifically change the access permissions of your web server to only execute files that you trust.

A better scheme would be to place all the .php files in a private folder, except for a very few that still need to be publicly accessible. In case of Drupal, this would be limited to index.php, cron.php and update.php. All the other PHP files should be in a private folder! It would greatly reduce potential problems (and this is the way I program Made to Order Software systems such as Order Made!)

I certainly hope not too many people followed the hackers instructions.