The Drupal.org team recently released version 7.32 for the Drupal core platform.
Drupal 7.32 is a security release only; there are no new features being added in this update. This update addresses a newly discovered SQL injection vulnerability that can be exploited by anonymous users.
Ironically, the SQL injection vulnerability was found inside the Drupal 7.x database abstraction API — a piece of code that is designed to “sanitize queries executed against the database to prevent SQL injection attacks.
If your site is not updated, an attacker could take advantage of the vulnerability in this API to create arbitrary SQL executions. “Depending on the content of the requests,” the Drupal security advisory
states, “this can lead to privilege escalation, arbitrary PHP execution,” or other unspecified attacks.
The Drupal Security Team rates the SQL injection vulnerability as “Highly Critical,” and “strongly recommends” anyone running a Drupal 7.x version prior to 7.32 to update immediately in order to close this vulnerability.
If you are unable to update to Drupal 7.32 immediately, Drupal.org has provided a direct patch
to Drupal’s database.inc file to fix the vulnerability until you are ready to completely upgrade to the full 7.32. However, you should only consider this fix if you (or your site admin) are comfortable editing the Drupal core code.
According to a report by ZDNet
, the vulnerability was found by Sektion Eins, a PHP security firm based in Germany that had been hired by “an unnamed client” to perform an audit on Drupal.
For more information on Drupal 7.32, you can read the official release from the Drupal.org team here
. If you would like to dive deeper into this security update, you can see a full list of all bug fixes in the stable 7.x branch in the git commit log here
, and the full report by Sektion Eins is viewable here
As always, if you have any questions about setting up your own site’s updates, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.
Works Cited / For Further Reading:
SQL injection flaw opens Drupal sites to attack. (ZDNet
Drupal 7.31 pre auth SQL injection vulnerability. (Sektion Eins
Drupal core SQL injection security advisory. (Drupal.org
Published: October 16, 2014 at 11:36 AM