Drupal is another prime example of a modern CMS. With more than 250,000 weekly hits to its APIs, this CMS has gained immense popularity! One would agree with the statement on the Drupal site which proclaims: “Tens of thousands of people and organizations are using Drupal to power scores of different web sites”.

Similar to the other CMSs which we have profiled in this series, Drupal offers the flexibility to manage content easily, add attractive themes and otherwise customize websites. Considering the plethora of themes available through the Drupal website, users seem to be very conscious of the attractiveness of their sites.

In this post we will be taking a close look at Drupal to understand any interesting issues with active installations publicly seen on the Internet.

The aim of this experiment:

• What associated scripts do Drupal users use in addition to core Drupal functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Drupal. Understandably, not all 100,000 websites were actually using Drupal. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Drupal or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

We present the most interesting results in brief:

• None of the Drupal sites were blacklisted by Google Safe Browsing.
• 10.1% of Drupal sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• 79.3% of Drupal sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• A whopping 66.2% of all Drupal sites use jQuery.
• None of the Drupal sites use Mootools.
• Only 1.7% of the Drupal sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that unlike some of the other CMS packages we have looked at, Drupal installations seem to be safe from the most prevalent malware. Furthermore, it seems that the correlation between Drupal users and jQuery users is much tighter than in the case of other CMS packages. It might be an interesting point to probe further, to understand why the number of infected Drupal installations is much less than the number of infected installations of other CMS systems while jQuery continues to be a common attack vector.

Till next time.