Easily exploitable Drupal bug can lead to total site compromise

Admins of sites that run Drupal 7 are advised to update to the latest version of the platform – version 7.32 – because it fixes a critical SQL injection vulnerability that can ultimately lead to site hijacking and data theft.

Urgency is needed as the vulnerability in question is easy to exploit and because proof of concept exploits have already been made public. “While we do not have reports of actual usage, the nature of this vulnerability is such that the attack can be difficult to detect,” the Drupal security team warned.

Ironically enough, the bug has been found in the database abstraction API that is used to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

“A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks,” they explained in the security advisory, and added that the vulnerability can be exploited remotely, without any kind of authentication required.

The vulnerability was discovered and flagged a month ago by Stefan Horst, a researcher with German PHP security firm Sektion Eins, which was hired to audit Drupal by a customer.

But, according to Robert Horton, European managing director of security consulting at NCC Group, the flaw was discovered and “was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013.”

“It took an independent researcher to separately find it and bang the security drum in order for people to take notice,” he commented for The Register.

Don't miss