Drupal SQL injection nasty leaves sites 'wide open' to attack A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack. Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack. Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands …
I know the feeling all too well.
Patch *that* and you're good.
Hey, thanks for patching *that*, now you need to patch **this** to protect against attacks that are now permitted from the patch to *that*.
Rinse and repeat.
*Whereinhell* are my sharks?! I need them for my moat around my office, I already have the lasers ready for attachment.
Oh well, at least I still have my primary method, the elevator that "mistakenly" drops off its occupants to the incinerator... :)
As well as the land mines along the corridor to my office.
And the electrified telephones.
And I'm no longer a BOFH, I'm now an Information Assurance guy.
Which means I have a bit larger budget, in some areas. Physical security was paramount, so I included a gamma ray fountain about two meters from my door.
Which, for anti-terrorism purposes is both bullet proof, anti-armor missile resistant and has a lead "deadening zone" to absorb the impact energies (suggested by myself, while a cute white cat was perched upon my lap).
Those were stop-gap measures, largely due to a lack of Daleks to help secure the premises. Bloody damned time war shortages, when will they end?
>> Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
>>A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
You had ONE job...
""The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting"
Interesting use of "interesting". Is this that special "I don't want to libel them" meaning of interesting that actually means "fucking laughably shameful"?
Right, I delayed all day deciding whether to bite, but fuck it:
I think you're confusing American English and GB English usage. I realise that "cunt" is mainly used towards women in the US, but round these parts it's entirely unisex and without misogynistic connotation. No British man who calls another a cunt is making an accusation of femininity, I promise you.
"""The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting""
But surely that's pretty standard for OSS. Tell everyone about the hole, and then worry about patching it properly later. The BASH bug springs to mind...
"Whereas closed source you don't "worry about patching it properly later" you leave it wide open and take bids for the access."
Got to be better than having the source code available so that ANYONE can find the holes and exploit them. Clearly public availability of the code means jack for public benefit as the major flaws in SSL and BASH have recently demonstrated - that have been out there for years....
to all those of you who not only weathered the long night addressing this vulnerability but find that weathering long nights and weekends fixing/maintaining/upgrading systems to be a regular course of your job. All too often this sacrifice goes under appreciated and soon forgotten except by those of us with first-hand experience.
I am no longer a member of this club but have vivid memories of an era where a strong addiction to caffeine was a requirement while regular sleep cycles were grounds for termination.
"to all those of you who not only weathered the long night addressing this vulnerability but find that weathering long nights and weekends fixing/maintaining/upgrading systems to be a regular course of your job"
Ouch - not here. With a few minutes work I just sent this months security patches out to several hundred Windows desktops and a few hundred Windows and Linux servers - I thought pretty much everyone had SCCM these days - but apparently not.
This post has been deleted by its author
From the report this is the actually executed code:
db_query("SELECT * FROM {users} where name IN (:name)",
array(':name'=>array('user1','user2')));
Why the fuck is the query still not running by preparing the statement first and letting the DB worry about the parameters?
PS. sorry for the whitespace but El Reg won't wrap the lines for me.
PHP is not at fault here, this is the POS database abstraction layer in Drupal that is at fault here. It was designed by a technical advocate who AFAICT never had to use it in real situations and was (is) therefore utterly useless and unwieldly in many situations. It was a noble thought, but fatally flawed from the start.
The PHP MySQL libraries are actually quite clever when it comes to working with prepared statements and queries and optimising their use across multiple, often independent, connections.
As someone who just finished a major site migration onto Drupal 7 I'm not even slightly surprised. This was my favorite:
https://www.drupal.org/node/2001308
Files attached to nodes arbitrarily deleted if you have the "display" box unchecked and make the mistake of previewing edits before saving them.
It's not just core you need to worry about either, you need to think about all those modules you require to even do something as simple as manage attached media files. It's totally possible for some idiot module developer to completely bypass all the "security" that's built into core, and it seems like half of them did.
"The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting," Horton said. "They appear to have overlooked the severity and it took an independent researcher to separately find it and bang the security drum in order for people to take notice."
When the vulnerability was discovered months ago and had already been publicly reported (https://www.drupal.org/node/2146839), you shouldn't be crediting SektionEins ("the German security firm that discovered the flaw") with the finding.
What evidence do you have that it was "independently" discovered by them, when it's already in public domain?
Would you believe me if I told you that I independently discovered E=mc^2 and wasn't aware that Einsten had already found that out?
Don't fall for the hype that SektionEins is trying to drum up around this...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
