Drupal Vulnerability and Drupageddon

Share this post

Drupalgeddon '14

A serious code breach in Drupal 7 was unearthed last week, leaving many sites at risk. Well, actually, it just resurfaced, since it had been identified and then dismissed last year. No one can afford to ignore it now.

This vulnerability is SQL Injection, a very common hacking method for stealing data by inserting SQL commands through the backend database. It allows remote hackers to assume admin authority over a website, causing who knows how much havoc. Many thousands of sites are built on Drupal 7, and every one of them could be affected.

The threat, though severe, is fairly easy to fix. Scanning, analyzing, and patching with an upgrade to Drupal 7.32 (which was released to address this problem) should correct it. However, finding a patch does not assure that it was made by the good guys. As reported by Tamer Zoubi, hours after the Drupal SA-CORE-2014-005 fix, he found a malicious script which sifts through a list of domain names alphabetically, placing new requests into the menu router table, resulting in arbitrary SQL execution.

Any and all accounts serviced by CommonPlaces should know that we have team members who are dealing with this issue. The excellent community of Drupal developers continues to pass along any information which comes their way. If you have any concerns with your Drupal website, and you are not a client of ours, we urge you to contact the Drupal community directly.

Related Posts

Config Sync Overview

Config Sync Overview

When Drupal 8 was released, it came with Configuration Syncing functionality. This has been a staple ever since for Drupal 9, Drupal 10, and beyond. Configuration Syncing was a game changer and one of my favorite features in Drupal Core.The days before config sync...