Drupal Core SQL Injection Vulnerability Leveraged in Drive-by Attacks

The Drupal Core SQL vulnerability disclosed two weeks ago has been recently leveraged in automated attacks aiming to compromise websites, according to an announcement by Drupal

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” Drupal advised. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC.”

The SQL injection vulnerability lies in the database abstraction API and can be exploited through crafted requests that lead to arbitrary SQL execution.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks,” Drupal said in its description of the flaw.

All Drupal core 7.x versions prior to 7.32 are vulnerable. For those who cannot update to the latest version, Drupal created a patch that fixes the flaw.

Web sites already compromised cannot be fixed only by updating or applying the patch.

Drupal also wrote a walkthrough on “Data and damage control” and “Recovery” guidelines.