A critical SQL injection bug has been patched in Drupal, and users are being advised to upgrade as soon as possible.
The vulnerability exists in all Drupal core 7.x versions up to the just-released 7.32 version, which fixes the issue.
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” according to an advisory from the Drupal Security Team. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”
This vulnerability can be exploited by anonymous users, the advisory adds.
Content management system vulnerabilities are juicy targets for hackers, explained Incapsula’s Orion Cassetto in a blog post Sept. 11.
“Since the top CMSes are so popular, these security vulnerabilities are actively sought after—both by security researchers and members of the hacker community,” Cassetto argued. “Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks.”
“Adding to the issue,” Cassetto continued, “are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies.”
The Drupal Security Team advises those users not able to upgrade to Drupal 7.32 to apply this patch to Drupal’s database.inc file to fix the issue until they are ready to completely upgrade to the current version.
“Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated,” according to a FAQ posted by the Drupal team. “Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
