Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Suggested by Bevan in #2373453: Drupalgeddon project long-term support plans
Constantly remind users that drupalgeddon is not reliable;
The project page already makes this clear.
If drush drugtest was negative (no known-signs of compromise), issue a warning "Nevertheless, the website may have been compromised".Regardless of the drugtest result, issue the warning "Restoring from pre-15 Oct 2014 backups and updating to 7.32+ is the only certain way to secure a publicly accessible website that was vulnerable to SA-CORE-2104-05 (Drupageddon)".
Comments
Comment #1
xurizaemonComment #2
omega8cc CreditAttribution: omega8cc commentedFrom our experience it should be as short as possible and in an absolutely plain English. We have seen people who received a few BOA alerts sent automatically because drupalgeddon discovered drupaldev/megauser pair created in their site - yet, they not only don't delete this user/role. They simply proceed with site upgrade, or ask for extra explanation, because what we wrote on our website was too hard to understand for them, so they keep enabling the site daily just after BOA disabled their site (daily) with clearly communicated alert. It is just depressing sometimes... but the conclusion is that we should proceed under the assumption that:
1. People don't read unless you put it at the top and it's ~5 lines max.
2. People who do read, do not really understand the danger anyway.
Yeah, I know this may sound extreme, but because of depressing facts we have seen, I know that the message should be bold enough, and as short as possible.
I would propose to add disclaimer saying something like this:
WARNING! Please don't trust in results of this test! YOUR SITE IS ALREADY COMPROMISED, unless you have updated or patched it BEFORE Oct 15th, 11pm UTC. This test may only confirm what you already know: YOUR SITE IS HACKED! It can't tell you that you are safe. You are not safe, even if the test couldn't find known exploits. More information: https://www.drupal.org/PSA-2014-003
Comment #3
Bevan CreditAttribution: Bevan commentedComment #4
Bevan CreditAttribution: Bevan commentedThanks @omega8cc. Your text was longer than mine, but simpler and clearer. I tried to take the best of both versions in this draft:
I think is probably still too long and complicated.
Comment #5
omega8cc CreditAttribution: omega8cc commentedI agree, it should be less than a half of this, or people will skip this with TL;DR
Comment #6
omega8cc CreditAttribution: omega8cc commentedWe link to drupal.org/PSA-2014-003 so we don't need to explain what to do next etc. So maybe just this?
===
WARNING! Do not trust the results of this test!
It can not tell if a website is safe just because it did not find known exploits.
Unless patched before Oct 15, 11pm UTC, the website is probably COMPROMISED!
Now what? Please read: https://www.drupal.org/PSA-2014-003
===