Skip to main content

Drupal Security Advisory

October 31, 2014

The Christian Reformed Church in North America uses the Drupal content management system for some of its websites. Drupal is one of the most widely-used content management systems in the world, used by many universities, companies, and government agencies.

As you may have heard in news reports, on October 15 Drupal announced a security advisory that affected all websites using the current version. Our web development vendor took measures to apply the security patch to several of our websites which use Drupal, including crcna.org, The  Banner, and The Network.

Then, on October 29, the Drupal Security Team updated their original announcement and advised that all Drupal sites, except those patched within hours of the original announcement, should proceed as if they were compromised. This covers nearly all Drupal sites in the world, including eleven CRCNA sites.

Our testing revealed attempts to gain administrator access to some sites but those attempts were unsuccessful. However based on the October 29 announcement, one cannot definitively rule out the possibility of undetected breaches on any Drupal 7 site affected. For us, those include:

CRCNA
Do Justice
Hope Equals
Lift Up Your Hearts
Psalms for All Seasons
Sea to Sea
The Banner
The Network
Reformed Benefits Association (info site)
World  Renew
World  Renew Volunteer Blog

It’s important to note that, in the unlikely event of a breach, these sites do not contain any financial information. Donations and other transactions occur on separate systems which are not affected by this issue. Nor do these websites contain any employee information or social security/insurance numbers. In particular, the Reformed Benefits Association website only contains general information about the association, not any member information nor member logins.

However, a few of these sites do have an option for users to create accounts for the purposes of participating in discussion, commenting, etc. Those accounts require the user’s name and email address, as well as other optional fields.

Testing has not revealed any evidence of this account information being accessed but because of the nature of this vulnerability, we cannot rule out the possibility. So we, along with those managing hundreds of thousands of Drupal sites across the world, are taking additional measures and alerting our users.

Passwords are encrypted on our servers but, out of an abundance of caution, we have cleared all user passwords. If you have an existing login for any of these sites you can set a new password by:

  1. visiting the site
  2. click the login link
  3. click the ‘forgot my password’ link
  4. use that form to get a password reset link sent to your email

We apologize for the inconvenience this causes our users who have created accounts, and we hope you continue to make use of these sites in confidence that we take these situations seriously, alert our users when such incidents occur, and take appropriate action.

We value your continued support and encouragement as we use web technologies for ministry.