2

A Drupal security advisory, SA-CORE-2014-005, rather embarrassingly states that:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.

I think that's a whoops, with an uppercase W. The highly critical SQL injection vulnerability is to be found in versions of Drupal 7 prior to 7.32 and users should immediately upgrade to 7.32 to fix the problem. The urgency for updating is confirmed by the fact that proof of concept sharing has been spotted on assorted dark web forums and there is at least one known live exploit out there.

Dwayne Melancon, CTO at Tripwire, told me that "the ever-increasing use of Open Source and third-party software components means this isn’t the last time we will see this kind of vulnerability – diligence is critical, and this is as much a supply chain issue as it is a technical one. This situation shares similarities with other recently discovered exploits such as ShellShock, Heartbleed, and the Poodle SSL vulnerability in that it is something that has been around for quite a while but just wasn’t known. Exploits, such as this one, that enable arbitrary command execution by unauthenticated remote users are one of the worst forms of exposure for an organization."

Guillermo Lafuente, Security Consultant at MWR InfoSecurity, adds "is it surprising is it that this SQL vulnerability was found in an API meant to stop SQL injections? Drupal uses prepared statements in all its SQL queries, so it’s definitely surprising that such a vulnerability was found. The issue was found during a code review audit performed by Stefan Horst for a client and therefore it shows that the Drupal community has failed to carry out sufficient audits of its codebase to ensure these vulnerabilities are not present. What it is even more surprising is that the issue was reported to the Drupal community on November 2013 as shown here. The Drupal community failed to react to a reported security vulnerability, hence the issue."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
0
Replies
20
Views
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.