Highly Critical SQL Injection Vulnerability Patched in Drupal Core

1 minute read

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:

Posted by Drupal Security Team on October 15, 2014 at 4:02pm
Advisory ID: DRUPAL-SA-CORE-2014-005
Version: 7.x
Date: 2014-Oct-15
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: SQL Injection

Users on the Drupal 7.x branch need to update to the version 7.32 immediately. The good news for our clients is that if you are leveraging our Website Firewall (CloudProxy) product you have been proactively patched against this vulnerability. If you can not patch your installation, we recommend applying their patch manually or adding your site behind a proper website firewall.

Understanding the SQL Injection

The team behind SektionEins identified this vulnerability and disclosed responsibly to the Drupal team last month. They too provided an advisory with the technical details, recommend reading if you’re a developer or system administrator.

Cliff-note version: They found a way to bypass the protection that Drupal has in place when creating the prepared statements for the SQL queries. Where a query would look like:

 SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

The attacker could manipulate it to look like:

 SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

2014/10/15 18:17 – Update 1: There are POC (proofs of concepts) being shared on many underground forums. Won’t be long before we start to see exploitation attempts.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...