A critical SQL injection bug has been patched in Drupal, and users are being advised to upgrade as soon as possible.
The vulnerability exists in all Drupal core 7.x versions up to the just-released 7.32 version, which fixes the issue.
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” according to an advisory from the Drupal Security Team. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”
This vulnerability can be exploited by anonymous users, the advisory adds.
Content management system vulnerabilities are juicy targets for hackers, explained Incapsula’s Orion Cassetto in a blog post Sept. 11.
“Since the top CMSes are so popular, these security vulnerabilities are actively sought after—both by security researchers and members of the hacker community,” Cassetto argued. “Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.”
“Adding to the issue,” Cassetto continued, “are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies.”
The Drupal Security Team advises those users not able to upgrade to Drupal 7.32 to apply this patch to Drupal’s database.inc file to fix the issue until they are ready to completely upgrade to the current version.
“Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated,” according to a FAQ posted by the Drupal team. “Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
