Drupal Vulnerability Patched

Standard

drupal_branding_2012

Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. “Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” the Drupal advisory says. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”

Advertisements

One thought on “Drupal Vulnerability Patched

  1. I need to chew through logs, but I’m pretty sure this has been a “known” issue for at least a month or two on the black hat side of things. (I have three sites impacted, one likely affected.)

    Now to figure out how best to analyze my db to ensure there’s nothing left behind.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s