Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Open Source IT

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw 76

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.
This discussion has been archived. No new comments can be posted.

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

Comments Filter:
  • by TWX ( 665546 ) on Thursday October 30, 2014 @09:53AM (#48269137)

    SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks

    Would this be actual irony, as opposed to Alanis Morrissette irony?

    • by Anonymous Coward

      This would be actual irony.

    • by Jaime2 ( 824950 )
      Not only is it ironic, it's a good thing. If people use this module, then they are a single patch away from fixing every occurrence of this bug. If they don't use this module, then they have to find all of their code that is similarly flawed and fix each instance individually. It's not like doing a database lookup with an IN is a rare thing; roll-your-own implementations are likely to be broken too.
      • by unrtst ( 777550 )

        ... roll-your-own implementations are likely to be broken too.

        As far as I can tell, this module uses custom placeholders in queries, and then replaces those with the user supplied values, building a string that can be passed to the DB as SQL without database placeholders. IE. it's not building something like:

        $db->prepare("SELECT name FROM table WHERE something IN (?,?,?)")
        $db->execute( @parameters );

        It's building something like:

        $db->prepare("SELECT name FROM table WHERE so

        • by Jaime2 ( 824950 )
          Yeah, they screwed up the implementation. But at least they provide a consistent way to pass a list-type argument to a database command. Once the implementation is hardened, everyone who uses it will be a little more secure.
    • by bill_mcgonigle ( 4333 ) * on Thursday October 30, 2014 @10:40AM (#48269557) Homepage Journal

      Would this be actual irony, as opposed to Alanis Morrissette irony?

      That a song with that name contains no actual examples of irony is ______.

      This message brought to you by Deep Metathinking and the Number 12.

    • by sootman ( 158191 )

      "It's like SQL injectiooooooon, on a module that's designed specifically to help prevent SQL injection attaaaaaaaaaaacks"

      It practically writes itself!

      • by ls671 ( 1122017 )

        All we have to do is make the algorithm recursive so it fixes sql injection problems in its own code. Simple.

  • by joelsherrill ( 132624 ) on Thursday October 30, 2014 @10:14AM (#48269339) Homepage

    The story only mentions Drupal 7. Is Drupal 6 or 8 impacted?

  • by Mysticalfruit ( 533341 ) on Thursday October 30, 2014 @10:32AM (#48269481) Homepage Journal
    I'm surprised it took this long! While not a PHP programmer, I've looked at some bits of the code and it's a bloody mess.

    php should get a new motto: "Please Hijack our Platform"
    • PHP done right [banshee-php.org]. I challenge you to find a security leak.

    • by Anonymous Coward

      We get it. You're not a noob PHP "developer". You're one of those cool dudes who uses a real man's language and get's all the girls! ( and get's modded insightful for it )

      I do both php and python, and while I prefer Python, there is nothing out there written in Python ( or any language, to my knowledge ) that comes close to being as efficient as Drupal in terms of time spent getting to launch. And yes that includes Django, which IMO is really only useful for low level APIs. It offers no tools for efficient

  • I did some websites in Drupal, but now I am steering clear of Drupal and the likes (Wordpress,...)

    Now 100% of my projects are in my custom CMS where obfuscation is the rule.

    • Now 100% of my projects are in my custom CMS where obfuscation is the rule.

      So now instead of many eyes on your CMS, there are only yours? People who keep up with their updates don't really have to worry about this. I used to check my site status page daily, but I noticed that I get notified of all the major Drupal patches by Slashdot, which is handy.

      • Well, if you have 250 websites to manage like me, it still prefer my CMS: I decide when to patch my code and update my clients site. I don't want to be dictated by a 'code red'. Also, my updates are 97% based on integration of new components (support for cloudbased storage, etc...) and not because of security issues.
        A major factor in all this, is that I use rails: the supporting community has an immense array of helpful tools that help me with deployment, migration (new server) and maintenance.

    • by Anonymous Coward

      That's nonsense. Go look at what eventually happened to HB Gary Federal and how all that started [arstechnica.com], (by using a custom CMS).

      Your best bet is to pay close attention to security releases, and be thankful the for the Drupal Security Team which is on top of these issues. For more clarity, read these:

      https://www.previousnext.com.au/blog/drupal-732-critical-update-our-response

      https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement

      Seriously, compared to the Drupal Security Team whic

  • WhiteHouse.gov (Score:3, Insightful)

    by q4Fry ( 1322209 ) on Thursday October 30, 2014 @12:24PM (#48270719)
    Is the White House breach a result of this bug? Inquiring minds want to know!
  • The original advisory notes that "Since Drupal uses PDO, multi-queries are allowed." I can find documentation that confirms that's true of the MySQL PDO adapter. Is that also true for PDO for other databases, or is this vulnerability specific to MySQL?

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...