0 SHARES Facebook Twitter

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:

Posted by Drupal Security Team on October 15, 2014 at 4:02pm Advisory ID: DRUPAL-SA-CORE-2014-005 Version: 7.x Date: 2014-Oct-15 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: SQL Injection

Users on the Drupal 7.x branch need to update to the version 7.32 immediately. The good news for our clients is that if you are leveraging our Website Firewall (CloudProxy) product you have been proactively patched against this vulnerability. If you can not patch your installation, we recommend applying their patch manually or adding your site behind a proper website firewall. You should also scan your Drupal installation for hacks and can follow our guide to fix the compromise if needed.

Understanding the SQL Injection

The team behind SektionEins identified this vulnerability and disclosed responsibly to the Drupal team last month. They too provided an advisory with the technical details, recommend reading if you’re a developer or system administrator.

Cliff-note version: They found a way to bypass the protection that Drupal has in place when creating the prepared statements for the SQL queries. Where a query would look like:

SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

The attacker could manipulate it to look like:

SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

2014/10/15 18:17 – Update 1: There are POC (proofs of concepts) being shared on many underground forums. Won’t be long before we start to see exploitation attempts.