A critical SQL injection bug has been patched in Drupal, and users are being advised to upgrade as soon as possible.
The vulnerability exists in all Drupal core 7.x versions up to the just-released 7.32 version, which fixes the issue.
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” according to an advisory from the Drupal Security Team. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”
This vulnerability can be exploited by anonymous users, the advisory adds.
Content management system vulnerabilities are juicy targets for hackers, explained Incapsula’s Orion Cassetto in a blog post Sept. 11.
“Since the top CMSes are so popular, these security vulnerabilities are actively sought after—both by security researchers and members of the hacker community,” Cassetto argued. “Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.”
“Adding to the issue,” Cassetto continued, “are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies.”
The Drupal Security Team advises those users not able to upgrade to Drupal 7.32 to apply this patch to Drupal’s database.inc file to fix the issue until they are ready to completely upgrade to the current version.
“Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated,” according to a FAQ posted by the Drupal team. “Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information.”