[kdenlive] kdenlive.org, security and drupalgeddon

Roger Morton ttguy1 at gmail.com
Fri Dec 26 22:30:55 UTC 2014 

So I think someone has an exploit into our kdenlive.org site.

Back a few years just before we moved the forums JBM gave me admin privs on
the site so I could help out with anti-spam and migrate the forums.  For a
while the site was pretty much off line with respect to user contributions.
But around 2014-11-09 in response to a mantis request (
https://bugs.kdenlive.org/view.php?id=3402) JBM turned back on the
camcorder database.

Since then (maybe before I have not being paying attention) the site has
been getting hundreds of user registrations per week by spam bots. And we
have been getting lots of spam posted to the camcorder database. And I have
been progressively trying to prevent this by adding extra captcha tests and
then turning off the automatic sending of one time log-in links to newly
registered users and asking users to PM me in the forums if they want a
kdenlive.org account. The result of this is that we still get lots of spam
bot created users but they are created with a blocked status. So this has
been somewhat sucessful.

However, even after these measures the site is still getting one or two
active users being created. And the logs show successful use of the one
time log in link that used to be sent out. But which is not being sent out
(by me at least). And these users generate 3 -4 spam post per day.

So I think someone is using an exploit of some kind on that site.

It currently is running 7.34 of drupal (but I don't know when it got to
that version).

But back in 2014-Oct-15 a major security flaw in versions lower than 7.34
was announced https://www.drupal.org/SA-CORE-2014-005 and which has been
give the name drupalgeddon

I don't know if JBM patched this issue. It is a pretty dramatic
announcement -
https://www.drupal.org/PSA-2014-003


*Automated attacks began compromising Drupal 7 websites that were not
patched or updated to Drupal 7.32 within hours of the announcement of
SA-CORE-2014-005 - Drupal core - SQL injection
<https://www.drupal.org/SA-CORE-2014-005>. You should proceed under the
assumption that every Drupal 7 website was compromised unless updated or
patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.*

So the fact that we get active users in the absence of approving them might
be related. It might not.

JBM - did you know about drupalgeddon and patch it in the 7hour limit?
(what a ridiculous time frame !!)

But this raises the question - does the camcorder database on kdnelive.org
serve a useful purpose?
Could it be moved to .kde infra structure too like the forums? Or do we
need it at all?
Do we want to move the jbm/till/granjow blogs off  kdnelive.org
Or can the vulnerability be fixed?

My vote would be to just get off kdnelive.org all together and use the
kde.org infrastructure. Because - as JBM has found out - maintaining this
sort of stuff in the big bad world of spammers is hard work. Time is better
spent on kdenlive itself than on the drupal website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdenlive/attachments/20141227/83e683fb/attachment.html>

More information about the kdenlive mailing list