Drupal is playing down estimates that more than 100,000 websites are still vulnerable to months-old critical security flaws in its content management system.
The developer said Thursday that reports from earlier this week claiming tens of thousands of sites were not patched with version 7.58, and thus were vulnerable to an attack dubbed Drupalgeddon 2 were based on bad info.
The number was floated by security researcher Troy Mursch, who based the estimate on a set of 500,000 sites he found using Drupal. The researcher said that of the 500,000 observed sites, 115,070 were found to be running an outdated version of Drupal 7 that would be vulnerable to the remote-code-execution hole discovered in April. An additional 134,447 sites were deemed to not be at risk, and 225,056 sites could not be diagnosed either way.
"Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world," Mursch, best known for hunting down crypto-mining scripts, wrote.
"Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers."
According to Drupal, however, those numbers are based on a wrong assumption. Its security team said the method the researcher used to scan the sites – checking the version reported in a Changelog file – would not be a reliable way to find what version of Drupal was actually running and whether it had been patched against the flaw.
That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven't botheredREAD MORE
"Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere," Drupal explained.
"There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site."
Mursch, meanwhile, acknowledged Drupal's point of view, but said he is standing by his figures.
"Yes, even though we know 115,000 sites are using outdated Drupal versions, some going back seven years, it's possible someone applied a mitigation patch that we have no way of telling if they did. The only way to be sure is to perform the actual exploit on half a million sites," he told The Register.
"But that's illegal, so I'll stand by my findings. I won't be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that 115,000 Drupal sites are outdated and may be vulnerable to other exploits not limited to Drupalgeddon 2." ®