The developers of the open source Drupal content management system recently warned that a SQL injection vulnerability affecting all Drupal 7.x versions prior to 7.32 may have exposed hundreds of thousands of websites to attack.
According to Drupal’s own statistics, almost a million websites currently use Drupal 7. Drupal 6.x is not affected by the flaw.
As the initial Drupal security advisory explains, “Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or attacks.”
A followup advisory notes that automated attacks began compromising Drupal 7 websites within hours of the announcement of the flaw, and warned that simply updating to Drupal 7.32 will not remove backdoors.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” the advisory states. “If you have not updated or applied this patch, do so immediately.”
All Drupal 7 users are urged to upgrade to Drupal core 7.32, or to apply this patch to Drupal’s database.inc file to patch the flaw.
Read the Full Article: Source – eSecurity Planet
http://www.esecurityplanet.com/network-security/drupal-acknowledges-major-sql-injection-vulnerability.html
Leave a Reply
You must be logged in to post a comment.