Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003

CVE identifier(s) issued

CVE-2014-3704

Versions affected

Drupal core 7.x versions prior to 7.32.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.32.

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page and the follow-up public service announcement.

Reported by

Stefan Horst

Fixed by

Stefan Horst

Greg Knaddison of the Drupal Security Team

Lee Rowlands of the Drupal Security Team

David Rothstein of the Drupal Security Team

Klaus Purer of the Drupal Security Team

Coordinated by

Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at

https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Edits to this advisory since publishing