Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal Patches ‘Highly Critical’ SQL Injection Vulnerability

A critical SQL injection bug has been patched in Drupal, and users are being advised to upgrade as soon as possible.

The vulnerability exists in all Drupal core 7.x versions up to the just-released 7.32 version, which fixes the issue.

A critical SQL injection bug has been patched in Drupal, and users are being advised to upgrade as soon as possible.

The vulnerability exists in all Drupal core 7.x versions up to the just-released 7.32 version, which fixes the issue.

“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” according to an advisory from the Drupal Security Team. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”

This vulnerability can be exploited by anonymous users, the advisory adds.

Advertisement. Scroll to continue reading.

Content management system vulnerabilities are juicy targets for hackers, explained Incapsula’s Orion Cassetto in a blog post Sept. 11.   

“Since the top CMSes are so popular, these security vulnerabilities are actively sought after—both by security researchers and members of the hacker community,” Cassetto argued. “Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.”

“Adding to the issue,” Cassetto continued, “are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies.”

The Drupal Security Team advises those users not able to upgrade to Drupal 7.32 to apply this patch to Drupal’s database.inc file to fix the issue until they are ready to completely upgrade to the current version.

“Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated,” according to a FAQ posted by the Drupal team. “Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.