Atop the Castle of Saint Barbara in Alicante, time sometimes seems to slow down, and words that once held grand meaning seem inadequate. I had a similar feeling both during and on the heels of DrupalCamp Spain, organized by the Spanish Drupal Association and held this year at Las Cigarreras cultural center in a seaside city that is one of the crown jewels of not only the Valencian Community but also of Spain.
The Spanish Drupal community welcomed Acquia with open arms, broad smiles, and mistela in ample supply. At the same time, local communities around Europe are witnessing a surge in activity in preparation for Drupal Europe, the volunteer-led event to be held in Darmstadt in September, and the enthusiasm was palpable throughout the event.
Like the feeling of suspended time at the summit of Alicante's beautiful castle, there were instances at Las Cigarreras where things seemed to come to a halt, where the clock slowed to zero, and true nuance could be found in the most contemplative of moments on stage. This time on the Experience Express, we pause in Alicante to take stock of some of the key moments here in view of the gentle waves of the Mediterranean.
An agnostic future for Drupal content
My featured keynote on Saturday morning, "La próxima década de Drupal" (English: "Drupal's next decade"), inspected some of the issues facing Drupal in the years ahead as digital experiences continue diversifying in the face of accelerating innovation. First, I undertook a breezy summary of content experiences and how new demands are stretching the meaning of the word "content" itself.
In a world where websites are no longer the only digital presence for organizations, how do we prepare? I advocated an approach in which organizations focus on crafting a channel-agnostic content strategy that also succeeds in centralizing content within a single source of truth. With the help of Drupal's API-first initiative and evolving understandings of content strategy, I made a case for why the history of Drupal has only just begun. Check out the slides (in Spanish) for more!
Improving your website with analytics
Laura Bonmatí (previously CEO of Blabup) presented a compelling introduction to Google Analytics and how web analytics in general can improve any organization's website. First, Laura started with a discussion of how knowledge is increasingly hybridized in today's industry, with marketing professionals and front-end developers both needing web analytics expertise to know our users better.
After introducing the audience to Google Analytics, Laura then discussed how the Google service collects and records data, particularly hits, which can be a pageview, transaction, or even a social media operation. According to Laura, Google Analytics also typically collects information such as a user's browser, operating system, and service provider in addition to other details such as screen resolution.
The most intriguing portion of the presentation came during Laura's discussion of best practices when it comes to making the most of Google Analytics. She recommends that Google Analytics users determine ahead of time what website elements they wish to track and that they adopt a naming convention for their categories, actions, and tags which is coherent and clear.
Afterwards, Laura featured Google Optimize, an easy tool to test different variations of your website and then tailor it to deliver your website according to insights gathered from testing. Check out Laura's presentation (in Spanish) for more!
Conducting autopsies on Drupal vulnerabilities
"Every anonymous user can be an attacker. (Todos los usuarios anónimos pueden ser atacantes.)" —Zequi Vázquez
Later in the morning, Zequi Vázquez (Developer at Lullabot), a self-described back-end developer focused on systems administration, DevOps, hacking, and security, embarked on a brisk and entertaining journey through the most important vulnerabilities that can afflict even the most prepared developer teams. Zequi wasted no time, kicking things off with a definition of the term vulnerability as an oversight or issue that could lead to changes in the behavior of a system, such as the introduction of new code and its execution.
Zequi covered each of the three vulnerabilities affecting Drupal in turn, covering in detail how to exploit them. Concerning the first vulnerability, reported in SA-CORE-2014-005 (patch released on October 15, 2014), Zequi described how the name attributes in
form elements could contain either strings or arrays, which are sent via HTTP POST to the Drupal server.
Armed with Chrome Developer Tools (or any other browser debugger), an attacker could use this quirk in Drupal-rendered forms to introduce SQL queries into the user login form, for instance, within keys of arrays that weren't sanitized by the
expandArguments() method in
includes/database/database.inc. Below is an example that Zequi shared of two adjacent
elements that would make this exploit possible:
The second vulnerability, reported in SA-CORE-2018-002 (patch released on March 28, 2018), also concerns form inputs, particularly in forms generated using render arrays (introduced in Drupal 7), whose keys are prefixed with
#. In many forms, the value is stored alongside the key
#value. In the user registration form, it's possible to trick Drupal by using the same technique as before — inserting arrays into certain form fields, including a reference to an executable file on the server, as seen in the sample payload below:
mail[a][#type] = 'markup' mail[a][#post_render] = 'exec' mail[a][#markup] = 'echo "Hola" | tee sites/default/files/hola.txt'
And in this case, we can trick Drupal into re-rendering the form through Ajax API, which triggers a
post_render and allows for an attacker to execute arbitrary code on the server.
The third exploit discussed, reported in SA-CORE-2018-004 (patch released on April 25, 2018), is more complex still — and well beyond the scope of this blog post — but uses the Ajax API once more to allow an attacker to execute arbitrary code that has been placed on the server.
As a final note, Zequi noted what risks are present when developers haven't patched their sites in time — an unenviable scenario to find oneself in — and what to do next. Attackers can potentially extract the complete database, introduce cryptocurrency miners in the
/files directories, and infect unwitting users of the site. After an exploit, the most important steps to clean a compromised site are to eliminate any code that may be in the
/files directory, ensure no code has been inserted into the database, and verify that no other PHP file has been modified by malicious code.
Ultimately, Zequi offered a fast-paced and uniquely enjoyable autopsy of recent critical vulnerabilities in Drupal, content he will repeat at Drupal Developer Days in Lisbon next week.
"So flexible that it's easy to shoot yourself in the foot. (Tan flexible que es fácil dispararse en un pie.)" —Ricardo Sanz
Next time on the Experience Express, we hop up to Utrecht in the Netherlands for a stop at Frontend United, where Dries Buytaert gave a thrilling keynote and yours truly delivered a talk about conversational design. I'll also see many of you next week in Lisbon for Drupal Developer Days! ¡Hasta la próxima and tot ziens!