SQL injection flaw opens Drupal sites to attack

The Drupal 7 core is vulnerable to a "Highly Critical" SQL injection bug that could allow an attacker to compromise the site.
Written by Larry Seltzer, Contributor

The Drupal security team is reporting that versions of Drupal 7 prior to 7.32 are vulnerable to a "Highly Critical" SQL injection bug. Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately. Drupal is a popular content management system that is free and open source.

An attacker could exploit this vulnerability to achieve privilege escalation or execute arbitrary PHP code. Other unspecified attacks are said to be possible. At the time the vulnerability was disclosed no know exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it.

The Drupal team recommends that sites install the latest release, but a patch is also available for those who prefer it.

The vulnerability exists in the database abstraction API, one purpose of which is to sanitize database requests against just this sort of attack.

The vulnerability was found by Sektion Eins, a German PHP security firm that was hired to audit Drupal by an unnamed client.

The bug is also designated CVE-2014-3704.

Editorial standards