Critical SQL Injection Vulnerability in Drupal Core Framework

Drupal, an open source software package, which provides the most popular content management system (CMS), is alerting its users to consider their websites as infected unless the sites have been updated with a security patch that was released on 15th October, 2014.

Drupal provides content management system for websites such as MTV, Sony Music, MIT, Harvard and Popular Science. It is used to power approximately 1 billion websites on the internet, which puts Drupal on the third place after Juggernaut WordPress and Joomla.

A public service announcement released by Drupal’s security team, warned its users of the SQL injection attack, which was revealed two weeks ago. The attack compromised almost 12 million of the extensively used Drupal 7 websites. Users were advised to update their websites to Drupal 7.32, within seven hours of the vulnerability being announced.

The Drupal security announcement mentioned, “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11 pm UTC, that is seven hours after the announcement“.

Attackers began exploiting the vulnerability using “automated attacks”, shortly after the public disclosure by the Drupal security team on October 15. The biggest problem with this bug is that it allows the hacker to compromise a website without an authentication requirement and the attack does not leave any trace afterwards.

The SQL injection vulnerability is extremely critical and it resides in the Drupal Core that is designed especially to prevent SQL injection vulnerability. By exploiting the bug in a vulnerable version of Drupal CMS, hackers can steal private information from websites or can allow themselves with remote access of the system by installing a backdoor to the compromised system. In short, the attack can lead to the entire website being compromised.

According to the Drupal security team, in some cases the attackers may have even installed a backdoor on the hacked systems and then, in order to ensure that no one else gets access to the site, applied a patch for website admins.

The announcement further stated –Updating to version 7.32 or applying the patch fixes the vulnerability, but does not fix an already compromised website. If you find that your site is already patched but you but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

As per the Drupal team, if the attacker has added a backdoor to a system in which the vulnerable Drupal 7 is installed, you are advised to take the website offline, delete all the databases and files, restore from backups which were made before 15th Oct and finally patch the website before bringing it back online.

A vulnerable site can also be restored by following below mentioned points:

• The website should be taken offline by replacing with a static HTML page.
• The server’s administrator should be notified, highlighting that other applications or sites hosted on the same server, might also have come under attack, because of a backdoor that was installed in the initial attack.
• Either obtain a new server, or remove the website’s databases and files from the old server.
• Restore the website from backup from before 15th October, 2014.

Let us know what you think