Drupal has released a HIGHLY CRITICAL security advisory for its latest version of the popular content management system, urgently advising users to update to Drupal 7.32 or install a patch to fix the vulnerability.

The vulnerability, reported by Stefan Horst from SektionEins GmbH, allows for unauthenticated users to gain full control of the database, and to be able to perform remote code execution. The vulnerability lies in a function that Drupal uses to expand variables in a prepared SQL statement.

Considering that no social engineering is required, and considering its ease of exploitability, which means that pretty much anyone on the internet can gain access to your Drupal database, or gain control of the server running Drupal, it is highly recommended that the Drupal update is installed immediately. This vulnerability can be found on the NVD as CVE-2014-3704.

An update has been released for Acunetix which detects vulnerable Drupal installations

If you are using Acunetix Web Vulnerability Scanner, you can install the update from General > Program Updates > Click on Download and Install updates. Scan your web servers to identify the ones running a vulnerable Drupal install.

Acunetix Online Vulnerability Scanner has been updated so that your next scan will check for this vulnerability too.

drupal-vulnerability

 

SHARE THIS POST
THE AUTHOR
Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.