Drupal 7 SQL injection prevention API vulnerable to SQL injection attacks

happygeek 2 Tallied Votes 345 Views Share

A Drupal security advisory, SA-CORE-2014-005, rather embarrassingly states that:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.

I think that's a whoops, with an uppercase W. The highly critical SQL injection vulnerability is to be found in versions of Drupal 7 prior to 7.32 and users should immediately upgrade to 7.32 to fix the problem. The urgency for updating is confirmed by the fact that proof of concept sharing has been spotted on assorted dark web forums and there is at least one known live exploit out there.

Dwayne Melancon, CTO at Tripwire, told me that "the ever-increasing use of Open Source and third-party software components means this isn’t the last time we will see this kind of vulnerability – diligence is critical, and this is as much a supply chain issue as it is a technical one. This situation shares similarities with other recently discovered exploits such as ShellShock, Heartbleed, and the Poodle SSL vulnerability in that it is something that has been around for quite a while but just wasn’t known. Exploits, such as this one, that enable arbitrary command execution by unauthenticated remote users are one of the worst forms of exposure for an organization."

Guillermo Lafuente, Security Consultant at MWR InfoSecurity, adds "is it surprising is it that this SQL vulnerability was found in an API meant to stop SQL injections? Drupal uses prepared statements in all its SQL queries, so it’s definitely surprising that such a vulnerability was found. The issue was found during a code review audit performed by Stefan Horst for a client and therefore it shows that the Drupal community has failed to carry out sufficient audits of its codebase to ensure these vulnerabilities are not present. What it is even more surprising is that the issue was reported to the Drupal community on November 2013 as shown here. The Drupal community failed to react to a reported security vulnerability, hence the issue."