Industry News

Drupal Core SQL Injection Vulnerability Leveraged in Drive-by Attacks

The Drupal Core SQL vulnerability disclosed two weeks ago has been recently leveraged in automated attacks aiming to compromise websites, according to an announcement by Drupal

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” Drupal advised. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC.”

Coincidence or Not, Sony PlayStation Hit by DDoS and CEO’s Plane under Bomb Threat

The SQL injection vulnerability lies in the database abstraction API and can be exploited through crafted requests that lead to arbitrary SQL execution.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks,” Drupal said in its description of the flaw.

All Drupal core 7.x versions prior to 7.32 are vulnerable. For those who cannot update to the latest version, Drupal created a patch that fixes the flaw.

Web sites already compromised cannot be fixed only by updating or applying the patch.

Drupal also wrote a walkthrough on “Data and damage control” and “Recovery” guidelines.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.