Open source software security

Drupal 5 Unsupported, Abandoning Users

9 February 2011
Drupal 7 came out recently which means that according to Drupal policy (http://drupal.org/documentation/version-info), Drupal 5 is no longer supported. Released in January 2007, Drupal 5 is a venerable and solid solution. This has resulted in many, many sites being built with Drupal 5. Now that Drupal 5 is no longer supported it has become abandonware. Users of Drupal 5 are now left to their own devices in terms of maintenance, patching and upgrades. No new versions of the Drupal 5 core will be released and Drupal security will no longer coordinate responses to vulnerabilities found in Drupal 5 modules. Anyone who has ever upgraded Drupal knows that it is no easy feat. Upgrading Drupal core from one point release to the next, say from Drupal 6.19 to Drupal 6.20, is not a trivial task. There are many things that can go wrong and most organizations weigh the costs of upgrade very carefully. The cost to individual users is even higher, especially in the absence of advanced PHP and web server knowledge. Moving to a new release can involve migrating code, reconfiguring a server, and a host of other changes that are often beyond the means of regular end users. Moving from one version of Drupal to another is even more complex and often results in problems that cause a site to break or crash. Many users have probably been tempted to conclude that "if it ain't broke, don't fix it" and stick with Drupal 5 instead of incurring the migration hassles of moving to Drupal 7. This may appear to be a wise decision until one factors in that Drupal security, and many module maintainers, no longer support Drupal 5. Take, for example, the recent case of a vulnerability I discovered in the Drupal Panels module (http://drupal.org/node/1046788) for Drupal 5. I found a cross site scripting vulnerability in Panels, which is one of the most popular Drupal modules. The module maintainer replied to the vulnerability report: All 5.x versions of Panels code are unsupported; no more commits will be made to these branches. It is recommended that no one use any 5.x version of Panels. What this means for end users is that if you're using Drupal 5 with Panels you had better uninstall Panels. While this is the first instance of a module security vulnerability that has resulted in a non-action from a module maintainer I'm aware of, it certainly won't be the last. If your Drupal 5 site uses Panels you are left with a decision to install an unsupported patch, disable Panels, upgrade to Drupal 6, or uninstall Drupal. This is a *huge* headache in enterprise organizations where complex, multi-user Drupal sites with custom code have been developed. Moving to Drupal 6 may be difficult, if not impossible. Due to lack of support, however, Drupal 5 has become a ticking time bomb. As the code base ages, more vulnerabilities are bound to be discovered, degrading overall security slowly over time. Drupal users should take heed of this situation even if they aren't using Drupal 5. If you are evaluating using Drupal keep in mind that each version will need to be replaced eventually, and the investment necessary for upgrade should be carefully considered. Given the release timeline of Drupal 5 it is reasonable to assume that a new Drupal site will have to undergo a major version upgrade within three years. If you're using Drupal now you need to plan to upgrade eventually. If you're planning a new Drupal site you're stuck with the choice of what version to develop in, the major (Drupal 7) or minor (Drupal 6) version. This is tough, however, because if you examine the current state of Drupal support you'll notice that Drupal 7 isn't really ready for prime time (there are lots of modules and functionality that currently aren't available for 7). This means that most users are stuck developing Drupal sites in Drupal 6, even though it is a minor version and set to expire as soon as the next version is released. Drupal 6 was released in February 2008. At that time folks considering whether or not to use Drupal had to evaluate Drupal in a very similar situation to the current one. Site builders using Drupal couldn't develop new sites in Drupal 6 because it wasn't ready for production, with critical modules unavailable for use. This meant that people standing up Drupal sites in early 2008 were forced to user Drupal 5. Now, less than three years later their product is completely unsupported and vulnerabilities are going unpatched. This is definitely not a desirable situation and should be considered carefully when evaluating the use of an open source content management system such as Drupal.