• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Highly Critical SQL Injection Vulnerability Patched in Drupal Core

October 15, 2014Daniel Cid

0
SHARES
FacebookTwitterSubscribe

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:

Posted by Drupal Security Team on October 15, 2014 at 4:02pm
Advisory ID: DRUPAL-SA-CORE-2014-005
Version: 7.x
Date: 2014-Oct-15
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: SQL Injection

Users on the Drupal 7.x branch need to update to the version 7.32 immediately. The good news for our clients is that if you are leveraging our Website Firewall (CloudProxy) product you have been proactively patched against this vulnerability. If you can not patch your installation, we recommend applying their patch manually or adding your site behind a proper website firewall. You should also scan your Drupal installation for hacks and can follow our guide to fix the compromise if needed.

Understanding the SQL Injection

The team behind SektionEins identified this vulnerability and disclosed responsibly to the Drupal team last month. They too provided an advisory with the technical details, recommend reading if you’re a developer or system administrator.

Cliff-note version: They found a way to bypass the protection that Drupal has in place when creating the prepared statements for the SQL queries. Where a query would look like:

 SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

The attacker could manipulate it to look like:

 SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

2014/10/15 18:17 – Update 1: There are POC (proofs of concepts) being shared on many underground forums. Won’t be long before we start to see exploitation attempts.

0
SHARES
FacebookTwitterSubscribe

Categories: Drupal Security, Security Advisory, Security Education, Vulnerability Disclosure, Website Malware InfectionsTags: SQL Injection

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Craig A

    October 15, 2014

    This looks really bad. It looks like it won’t be difficult to find an exploitable location. “The problem occurs, if the array has keys, which are no integers.”

    Example:

    db_query(“SELECT * FROM {users} where name IN (:name)”, array(‘:name’=>array(‘test — ‘ => ‘user1′,’test’ => ‘user2’)));

    • Craig A

      October 15, 2014

      Drupal owners are going to have a really bad day. I just tested a POC against Drupal 7.31 to reset the uid 1 password pre-auth.

      • FK

        October 16, 2014

        where did you foind the poc?

      • vinicius

        October 18, 2014

        it’s not that hard, even if someone can’t update to Drupal 7.32, the fix is a one line change on file includes/database/database.inc: http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6bdb777f08&SA-CORE-2014-005 and can be applied manually on most (all?) Drupal 7 installs

  2. Guest

    October 16, 2014

    This was found more than a year ago, and fixed: https://www.drupal.org/node/2146839

  3. David Garcia Garcia

    October 16, 2014

    Great, I found this more than a year ago… https://www.drupal.org/node/2146839

  4. damnthatonelinepatch

    October 16, 2014

    Yup they’re in the wild, blocked the ip, cleaned the server and site and updated to 7.32… damn those bstrds

  5. CTS

    January 25, 2016

    Can you refresh this post to the new update. Did something change?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

How to Clean a Hacked Website Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.