Drupal SQL injection nasty leaves sites 'wide open' to attack

A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack.

Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack.

Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands over total control – including the ability to load malicious code - to attackers running attacks against vulnerable websites.

The CVE-2014-3704 vulnerability in Drupal 7 has, unsurprisingly, been classified as "highly critical".

"A malicious user can inject arbitrary SQL queries… This vulnerability can be exploited by remote attackers without any kind of authentication required," an advisory by SektionEins, the German security firm that discovered the flaw, warns.

In a bitter irony, the flaw stems from an API specifically designed to help prevent SQLi attacks against the open source content management system, an advisory by Drupal's development team admits.

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

Robert Horton, European managing director of security consulting at NCC Group, said that the Drupal flaw is of particular concern because it's "extremely trivial to exploit by low skilled attackers".

"We expect exploitation to be rapid and systemic with proof-of-concept exploits already available by individuals looking to either obtain sensitive data, or to inject malicious code into otherwise legitimate sites in order to attack users," Horton warned.

Despite its severity the Drupal bug was overlooked for months, Horton added.

"The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting," Horton said. "They appear to have overlooked the severity and it took an independent researcher to separately find it and bang the security drum in order for people to take notice."

The Drupal flaw follows in the wake of the earlier Heartbleed and Shellshock vulnerabilities. All three flaws show how heavily many internet technologies rely on codes put together by small teams of coders.

"This bug once again shows the difficulty that all developers face when writing secure code and the length of time bugs can exist without coming to the attention,” Horton concluded.

Gavin Millard, EMEA technical director at Tenable Network Security, said approximately 900,000 websites were running the vulnerable versions of Drupal "all of which will need to be patched immediately".

“The SQL injection vulnerability in Drupal, one of the most popular content management systems (CMS) utilised by web designers to quickly build dynamic websites, is not just significant but should be considered high risk," Millard said.

"In the wild, this flaw could allow any attacker to run commands on the webserver, without authentication taking place, leading to data exfiltration or further exploitation." ®

Bootnote

Numerous people have questioned NCC Group's comments. The Register has double-checked with NCC and it stands by its statement.