Critical Drupal SQL Injection vulnerability

Drupal has released a HIGHLY CRITICAL security advisory for its latest version of the popular content management system, urgently advising users to update to Drupal 7.32 or install a patch to fix the vulnerability.

The vulnerability, reported by Stefan Horst from SektionEins GmbH, allows for unauthenticated users to gain full control of the database, and to be able to perform remote code execution. The vulnerability lies in a function that Drupal uses to expand variables in a prepared SQL statement.

Considering that no social engineering is required, and considering its ease of exploitability, which means that pretty much anyone on the internet can gain access to your Drupal database, or gain control of the server running Drupal, it is highly recommended that the Drupal update is installed immediately. This vulnerability can be found on the NVD as CVE-2014-3704.

An update has been released for Acunetix which detects vulnerable Drupal installations

If you are using Acunetix Web Vulnerability Scanner, you can install the update from General > Program Updates > Click on Download and Install updates. Scan your web servers to identify the ones running a vulnerable Drupal install.

Acunetix Online Vulnerability Scanner has been updated so that your next scan will check for this vulnerability too.



Share this post

Leave a Reply

Your email address will not be published.