Drupalgeddon Redux (2018)

In 2014 there was a large issue in the popular Drupal web platform / framework known as Drupalgeddon. The system is popular tool used for creating web sites but now many use it for building sophisticated applications. This means that it has a large surface area because it can do anything.

The original Drupalgeddon (SA-CORE-2014-005) was caused by SQL injection. This allowed attackers to craft SQL queries to read anything from the database or alternatively modify it at free will. Now there is a new issue that is a simple sanitation issue with input parameters.

This issue (CVE-2018-7600, SA-CORE-2018-002) affects at least Drupal 7.57, with the patch coming in 7.58, with the fact that it simply does not sanitize unsafe values. The change is shown in the code below, within the core bootstrap (includes/bootstrap.inc):

drupalgeddon-2018

This comes from the batch shown on GitHub here: SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm… The SA-CORE-2018-002 has a lot more issues that mate upgrading Drupal 7.x and Drupal 8.x releases ASAP: Drupal Critical Vulnerabilities (SA-CORE-2018-002)

Advertisements

Best reception smartphone

The company Zero Reception is developing a smartphone with maximum cellular network smartphone. The device is runs Android, and the improved cell reception promises a fourfold improvement over other cellphones.

The device is known as Certum Phone and it is being developed in Finland by antenna specialists that have have extensive industry experience in the field:

The Radientum crew hails from Tampere. The former Nokia/Microsoft engineers who founded the company in 2015 have over 15 years of experience in network simulation. The design of the “super antenna” in the Certum Phone is not a new innovation, it simply has not been applied optimally before. The Certum Phone has been designed “reception first” from the ground up.
– Certum Phone Android smartphone to provide the best signal reception

Improvements in cell reception allow better connectivity for all purposes. Less dropped calls and improved data transfer over 3G and 4G networks in the wild or challenging city spaces such as the subway. The Certum Phone is a crowdfunded project, with a project on Indiegogo.

90 Million Eurojackpot lottery win still not claimed in Finland – coupon lost?

In February 2018 a 90 Million euro win was won in the town of Loimaa in Finland. None of the 16,000 residents of Loimaa has yet to claim the win a month later. If the winners do not make them selves heard within a year, the prize will be lost. The unclaimed win does not affect any ongoing Eurojackpot games.

The European wide EuroJackpot lottery has prizes ranging from 10-90 Million Euro. Countries participating in the lottery are: Croatia, Czech Republic, Denmark, Estonia, Finland, Germany, Hungary, Iceland, Italy, Latvia, Lithuania, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden and Poland.

So far the maximum wins of 90 M€ has been won by players in the Czech RepublicFinland and Germany. Currently it is speculated that the winning coupon for the massive win is lost, and it has even spurred some locals to post a humorous ad in the local Loimaa region newspaper:

Lost: game coupon; Eurojackpot for round 6/18. Fell on the Prisma parking lot on 8.2-18. Finders fee, if the found coupon is the one having significant sentimental value.

Source: Record 90 Million Eurojackpot prize remains unclaimed a month later

Massive WordPress keylogger snooping highlights the risks of using malicious Plugins

WordPress is the most popular tool for building marketing websites and even fully fledged web applications like social networks using BuddyPress and eCommerce sites using WooCommerce. Unfortunately the sprawling ecosystem is an issue that the WordPress community finds hard to contain.

With immense popularity, a large user base and somewhat shoddy architecture WordPress is a tempting target for foul play. The core software has automatic updates, that properly used would have prevented the Mossac Fonseca leak where WordPress had a part to play.

Avoid excessive use of WordPress plugins for security

Whether or not unmaintained Open Source was a reason for the Panama Papers leak does not mitigate the fact that the ecosystem of WordPress is a bit of a wild west. The secure core of WordPress does not do good if insecure third party plugins are used. The plugins are the real strength of WordPress, but also it’s biggest weakness.

Now there is a report that over 2,000 WordPress installations admin interfaces are compromised according to Ars Technica:

More than 2,000 websites running the open source WordPress content management system are infected with malware, researchers warned late last week. The malware in question logs passwords and just about anything else an administrator or visitor types.- More than 2,000 WordPress websites are infected with a keylogger

This is a follow up to the cleanup done of some 5,500 malicious plugins together with Sucuri and CloudFlare in December 2017. With the rise of Blockchain based cryptocurrencies, the current flavour of attacks also use users’ browsers to mine Bitcoin for a direct financial gain.

In 2018 WordPress remains as dominant as ever, but users should take care of keeping their installation up-to-date and avoid installing WordPress Plugins that are not well known and acknowledged. Especially illegally obtained commercial plugins are very likely to contain malicious code.

Police raid OneCoin HQ in Bulgaria

Police have raided the headquarters of the OneCoin organisation in Bulgaria. OneCoin is a suspected Ponzi scam that is disguised in the veil of the blockchain technology. Since the meteoric rise of Bitcoin, Litecoin and other Cryptocurrencies, the market is attractive to scammers.

Operating since 2015 the OneCoin is estimated to have attracted some 3 Million investors. The scheme has faced action from the authorities before. But the joint raid between Bulgarian and German police as well as the Europol is the most significant so far. The leadership of the scheme has reportedly fled the country before.

Bulgarian police has released a Youtube video of the seized materials from the OneCoin raid.

Best Open Source Contentful CMS Alternatives in 2018

Contentful is a popular content management tool. It is a fully managed service, where the whole technical development and maintenance is handled by the company for a fixed fee. This takes some fixed cost related to hosting and developer investment from the equation.

Contentful and other Headless CMSes offer flexibility for developers to create uncompromised online experiences with the best suitable technology. As opposed to previous generation monolithic CMSes this opens up new possibilities, but can also add complexity when constructiong decoupled sites with Next.js or other universal JavaScript Frameworks.

The traditional Open Source CMS market is quite well established with a few leading global players like WordPress and regional champions like TYPO3 in Germany. For Open Source Headless CMSes the market is much more in flux, so far there are no clear leaders in the market place. The convenience of Contentful and other proprietary CaaS (Content as a Service) providers is tempting.

Open Source Headless CMSes market still maturing

Limitations in integrations and sky rocketing costs when dealing with large volumes of content are a deterring factor for some companies. This is why there is a clear demand for Open Source CMS and there are already some enticing options available on the market.

  • Directus – A next generation PHP based headless CMS
  • GraphCMS – A proprietary CaaS in the process of Open Sourcing
  • Gentics Mesh – A feature rich Java based headless CMS

Each of the above options have their own strengths and weaknesses, with some interesting details discussed in the following links:

Open Source GraphQL Backend as a Services

Most of the recent entrants to the market are starting to boast GraphQL as their interface, as REST APIs remain common but less ergonomic for site building. For developers looking for an Open Source GraphQL BaaS (Backend as a Service), there are now new interesting options that use a relational database features to create a thin GraphQL layer on top.

Two notable option in this space are Prisma and PostGraphile, with a brief introduction available online:

Matt Mullenweg to make WordPress great again – puts releases on hold

In his State of the Word 2016 speech Matt Mullenweg, the project lead for the WordPress project announced that there will be no releases of WordPress in the upcoming future. Development on the project will continue, but before a new official version is released – there will need to be significant improvement in key areas.

Matt will not sign off any new releases before the community addresses three key areas in WordPress that he identifies as which could become a hindrance as WordPress reaches for higher market share and even wider popularity in it’s task for world domination to democratise publishing of content in the Internet:

It is best in life to crush your enemies with marketshare, to see them driven before you, and to hear the lamentations of their proprietary CMS.
– Conan the Mattarian

The three areas that the great leader sets his target to are:

  1. The WordPress REST API: The WordPress REST API has been in development for a number of years, but continues to lack many key functionalities, including authentication. WordPress 4.7 adds more endpoints to core, but this is not sufficient according to Mullenweg.
  2. The Editor: The rich text editing functionalities provided in the default editor are lacking behind the competition. He would like the community to reimagine the editing experience and embrace the poetry of the code. This is partially already happening in the Automattic built JavaScript shell for WordPress, Calypso.
  3. The Customizer: The customizer allows live-previewing to configuration changes done to a WordPress installation. It enables handy previews of theme changes, color changes and widget placement to provide a basic WYSIWYG preview. Competition like Wix and Squarespace are more advanced and for WordPress to stay relevant and remain number one most popular publishing tool it needs to catch the proprietary pair.

With these targets set the project should be well set to continue dominating and even expanding it’s market share and reach. This is key in battling proprietary corporations that have the funding to run multimillion dollar marketing campaigns of their products, where as WordPress is an effort of love and devotion for many – a true community effort!

Let’s Make WordPress Great Again!