The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:
Posted by Drupal Security Team on October 15, 2014 at 4:02pm Advisory ID: DRUPAL-SA-CORE-2014-005 Version: 7.x Date: 2014-Oct-15 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: SQL Injection
Users on the Drupal 7.x branch need to update to the version 7.32 immediately. The good news for our clients is that if you are leveraging our Website Firewall (CloudProxy) product you have been proactively patched against this vulnerability. If you can not patch your installation, we recommend applying their patch manually or adding your site behind a proper website firewall. You should also scan your Drupal installation for hacks and can follow our guide to fix the compromise if needed.
Understanding the SQL Injection
The team behind SektionEins identified this vulnerability and disclosed responsibly to the Drupal team last month. They too provided an advisory with the technical details, recommend reading if you’re a developer or system administrator.
Cliff-note version: They found a way to bypass the protection that Drupal has in place when creating the prepared statements for the SQL queries. Where a query would look like:
SELECT * FROM {users} WHERE name IN (:name_0, :name_1)
The attacker could manipulate it to look like:
SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)
The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.
Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.
2014/10/15 18:17 – Update 1: There are POC (proofs of concepts) being shared on many underground forums. Won’t be long before we start to see exploitation attempts.
Denis Sinegubko
Luke Leal
Cesar Anjos
John Castro
Art Martori
Tony Perez
8 comments
This looks really bad. It looks like it won’t be difficult to find an exploitable location. “The problem occurs, if the array has keys, which are no integers.”
Example:
db_query(“SELECT * FROM {users} where name IN (:name)”, array(‘:name’=>array(‘test — ‘ => ‘user1′,’test’ => ‘user2’)));
Drupal owners are going to have a really bad day. I just tested a POC against Drupal 7.31 to reset the uid 1 password pre-auth.
where did you foind the poc?
it’s not that hard, even if someone can’t update to Drupal 7.32, the fix is a one line change on file includes/database/database.inc: http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6bdb777f08&SA-CORE-2014-005 and can be applied manually on most (all?) Drupal 7 installs
This was found more than a year ago, and fixed: https://www.drupal.org/node/2146839
Great, I found this more than a year ago… https://www.drupal.org/node/2146839
Yup they’re in the wild, blocked the ip, cleaned the server and site and updated to 7.32… damn those bstrds
Can you refresh this post to the new update. Did something change?
Comments are closed.