January 17, 2018

Drupal Fixes SQL Injection Security Vulnerability

The Drupal security team has issued a patch to a major security flaw in Drupal version 7.x. This vulnerability allowed attackers to use SQL injection to compromise the security of a Drupal site. The flaw exists in the database abstraction API, which is designed to prevent just such attacks.

By exploiting this vulnerability, an unauthenticated user on a Drupal site could execute carefully crafted SQL code on the targeted site. These attacks can be used to gain access to usernames and passwords, to create backdoors to a site by inserting malicious data directly into database tables containing the Drupal menu system, or other attacks.

The Drupal Security Team recommends that all current users of Drupal 7 upgrade to version 7.32, which contains the patch to the database abstraction API. Alternatively, Drupal users may also apply this patch.

The following update appeared on Drupal.org shortly after the attack was announced:

“Several hours after the security announcement was released, proof of concept (POC) instructions began appearing in the wild that demonstrate how to exploit the vulnerability. Shortly afterwards, hosting companies began to report a variety of systematic exploit attempts targeting Drupal websites on their platforms. These exploit attempts are ongoing and underscore the need to update all Drupal 7 sites immediately.”

The Drupal security team has received reports from users that some sites have already been patched, even though no one in charge of those sites had actually performed the update. This means that the site has already been compromised by an attacker, according to the security team, and they recommend that the site be taken offline and a full security audit of all Drupal site components be performed.

The vulnerability was discovered in the third week of September by a German PHP security firm, Sektion Eins, while performing a security audit for an unnamed client. Core Drupal security patches are issued on the third Wednesday of every month. According to the FAQ accompanying this release, the security team had considered releasing the patch earlier due to its severity, but the team felt that due to the timing of this issue and its coincidence with Drupalcon Amsterdam, they would release this fix under the normal schedule.

Update: This articles was updated on Oct. 30 to reveal new information.

The maintainers of the Drupal content management system have released a warning to users stating that "any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised."

"Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement," a statement released by the Drupal maintainers on Wednesday says.
Share This
Previous Post
Next Post

This Post was publish by the above Author