The expandArguments function in the database abstraction API in Drupal core 7.x prior to 7.32 does not properly construct prepared statements, which allows remote malicious users to conduct SQL injection attacks via an array containing crafted keys.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal drupal |
||
debian debian linux 7.0 |
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Drupal websites that had not patched seven hours after the disclosure on a "highly critical" SQL injection (SQLi) hole disclosed on 15 October are essentially hosed, the content management tool's developers say. Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began "hours" after announcement detailing how the easily exploitable bug granted full control including the execution of malicious code to attackers. Flaw disclosers SektionEins described...
Usual drill - install the patch tout de suite
A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack. Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack. Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands over total control – including the ability to load malicious code - to attackers running attacks against vulnerable websites. The CVE-2014-3704 vulnerability in Drupal 7 ha...