Drupal SQL Injection Vulnerability – CVE-2014-3704

drupal_logo-blue

On October 15th a very serious SQL injection vulnerability was discovered in Drupal that exists in all 7.x versions prior to 7.32. The severity of this vulnerability led to quick exploitation of it within approximately 7 hours of it having been publicized. Fortunately the provided patch to address this issue was quite simple and easy to apply. In fact, the patch only changed one line of code in the includes/database/database.inc file. Because of this we opted to go ahead and pro-actively apply the patch to all installations of Drupal 7.x on our servers. In less than an hour we had protected all of our clients’ Drupal installations from being exploited by this vulnerability. Beyond that it helped to protect our servers from attackers that were exploiting this vulnerability to run other malicious scripts. Affected clients should still upgrade their Drupal to the latest version as soon as possible.

Overall we were very pleased that this was so easily addressed on our end and we will certainly look into options like this going forward as new vulnerabilities in popular scripts are discovered. This incident shows how important it is for you to stay on top of script, plugin, and theme updates. Within a mere 7 hours of publicizing this vulnerability, it was being actively exploited. We highly recommend that you sign up for security related mailing lists for the scripts that you are using if they are available. This will give you the best chance at protecting yourself when (not if) a vulnerability like this comes to light.

Leave a Reply