• Analyzing Popular CMSs: Are Drupal Users at Risk?

    Continuing with this series of articles on CMS security, we have previously profiled Joomla and WordPress, this time we will be focusing on Drupal. Another, in a line of popular CMSs available today, Drupal, is used by tens of thousands of websites. Similar to WordPress, it has various plugins to customize the base installation and also sports interesting features such as “friendly links.” Quoting from the Drupal site, “Drupal uses Apache’s mod_rewrite to enable customizable URLs that are both user and search engine friendly.” Additionally, this particular CMS enjoys a large user community that is very serious about security.

    Drupal is another prime example of a modern CMS. With more than 250,000 weekly hits to its APIs, this CMS has gained immense popularity! One would agree with the statement on the Drupal site which proclaims: “Tens of thousands of people and organizations are using Drupal to power scores of different web sites”.

    Similar to the other CMSs which we have profiled in this series, Drupal offers the flexibility to manage content easily, add attractive themes and otherwise customize websites. Considering the plethora of themes available through the Drupal website, users seem to be very conscious of the attractiveness of their sites.

    In this post we will be taking a close look at Drupal to understand any interesting issues with active installations publicly seen on the Internet.

    The aim of this experiment:

    • What associated scripts do Drupal users use in addition to core Drupal functionality?
    • What are the vulnerabilities of using the associated scripts?

    Experiment methodology:

    An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Drupal. Understandably, not all 100,000 websites were actually using Drupal. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Drupal or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

    We present the most interesting results in brief:


    This limited experiment shows that unlike some of the other CMS packages we have looked at, Drupal installations seem to be safe from the most prevalent malware. Furthermore, it seems that the correlation between Drupal users and jQuery users is much tighter than in the case of other CMS packages. It might be an interesting point to probe further, to understand why the number of infected Drupal installations is much less than the number of infected installations of other CMS systems while jQuery continues to be a common attack vector.

    Till next time.