1 min read

Drupal Vulnerability and Drupageddon

Drupal Vulnerability and Drupageddon

Drupalgeddon '14

A serious code breach in Drupal 7 was unearthed last week, leaving many sites at risk. Well, actually, it just resurfaced, since it had been identified and then dismissed last year. No one can afford to ignore it now.

This vulnerability is SQL Injection, a very common hacking method for stealing data by inserting SQL commands through the backend database. It allows remote hackers to assume admin authority over a website, causing who knows how much havoc. Many thousands of sites are built on Drupal 7, and every one of them could be affected.

The threat, though severe, is fairly easy to fix. Scanning, analyzing, and patching with an upgrade to Drupal 7.32 (which was released to address this problem) should correct it. However, finding a patch does not assure that it was made by the good guys. As reported by Tamer Zoubi, hours after the Drupal SA-CORE-2014-005 fix, he found a malicious script which sifts through a list of domain names alphabetically, placing new requests into the menu router table, resulting in arbitrary SQL execution.

Any and all accounts serviced by CommonPlaces should know that we have team members who are dealing with this issue. The excellent community of Drupal developers continues to pass along any information which comes their way. If you have any concerns with your Drupal website, and you are not a client of ours, we urge you to contact the Drupal community directly.

Related Posts

2 min read

Should I Upgrade to Drupal 7 or Drupal 8?

As Drupal 6 gets dangerously close to its End of Life Date, users currently running on that version are left wondering what to do next. Should you upgrade to Drupal 7 or Drupal 8? Your decision will...

Hack-Proof Your Drupal App - Our Session at DrupalCon

Our own Erich Beyrent presented at DrupalCon Szeged on the subject of Drupal security. His session was entitled, "Hack-Proof Your Drupal App - Key Habits of Secure Coding," and you can watch it here:
1 min read

Council of Residential Specialists takes Drupal.org Homepage!

Recently, Drupal.org and the Drupal Community featured CRS.com on its homepage for its Featured Site section. The "Featured Site" section of Drupal.org, the development community site of Drupal, is...
2 min read

End of Life Date for Drupal 6 Announced: February 24, 2016

Last month, the widely used open source website development platform, Drupal, dropped some good news and some bad news. The amazingly good news was the release of Drupal 8, on November 19th, 2015....