CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
SQL Injection Vulnerability in Drupal could allow for Remote Code Execution
A vulnerability has been reported in Drupal 7 core that could allow for SQL injection. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code in SQL or PHP, and possible privilege escalation. Successful exploitation could allow an attacker to control the website; view, change, delete data; or perform other activities.
There is not any known proof-of-concept code available at this time.
- Drupal core version 7 prior to 7.32
- Large and medium government entities:High
- Small government entities:High
- Large and medium business entities:High
- Small business entities:High
Home users: Low
Vulnerability has been discovered in the Drupal 7 core. Specifically, this vulnerability is in the database abstraction API that sanitizes user-supplied data before using it in SQL queries. An unauthorized attacker could create specially crafted requests resulting in arbitrary code execution (specifically PHP code) or privilege escalation. (CVE-2014-3704)
We recommend the following actions be taken:
- Update to the latest version of Drupal core.
- If unable to update to the latest version, apply the appropriate patch found on the Drupal website to the affected site's database.inc file.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
- Do not open email attachments from unknown or untrusted sources.
- Consider implementing file extension whitelists for allowed e-mail attachments.