1 min read

Drupal Core SQL Injection Vulnerability Leveraged in Drive-by Attacks

Lucian Ciolacu

October 31, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Drupal Core SQL Injection Vulnerability Leveraged in Drive-by Attacks

The Drupal Core SQL vulnerability disclosed two weeks ago has been recently leveraged in automated attacks aiming to compromise websites, according to an announcement by Drupal

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” Drupal advised. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC.”

Coincidence or Not, Sony PlayStation Hit by DDoS and CEO`s Plane under Bomb Threat

The SQL injection vulnerability lies in the database abstraction API and can be exploited through crafted requests that lead to arbitrary SQL execution.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks,” Drupal said in its description of the flaw.

All Drupal core 7.x versions prior to 7.32 are vulnerable. For those who cannot update to the latest version, Drupal created a patch that fixes the flaw.

Web sites already compromised cannot be fixed only by updating or applying the patch.

Drupal also wrote a walkthrough on “Data and damage control” and “Recovery” guidelines.

tags


Author


Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited.

View all posts

You might also like

Bookmarks


loader