A serious code breach in Drupal 7 was unearthed last week, leaving many sites at risk. Well, actually, it just resurfaced, since it had been identified and then dismissed last year. No one can afford to ignore it now.
This vulnerability is SQL Injection, a very common hacking method for stealing data by inserting SQL commands through the backend database. It allows remote hackers to assume admin authority over a website, causing who knows how much havoc. Many thousands of sites are built on Drupal 7, and every one of them could be affected.
The threat, though severe, is fairly easy to fix. Scanning, analyzing, and patching with an upgrade to Drupal 7.32 (which was released to address this problem) should correct it. However, finding a patch does not assure that it was made by the good guys. As reported by Tamer Zoubi, hours after the Drupal SA-CORE-2014-005 fix, he found a malicious script which sifts through a list of domain names alphabetically, placing new requests into the menu router table, resulting in arbitrary SQL execution.
Any and all accounts serviced by CommonPlaces should know that we have team members who are dealing with this issue. The excellent community of Drupal developers continues to pass along any information which comes their way. If you have any concerns with your Drupal website, and you are not a client of ours, we urge you to contact the Drupal community directly.
