back to article Drupal SQL injection nasty leaves sites 'wide open' to attack

A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack. Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack. Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands …

  1. Awil Onmearse

    It was a long night, to be sure.

    1. Wzrd1

      I know the feeling all too well.

      Patch *that* and you're good.

      Hey, thanks for patching *that*, now you need to patch **this** to protect against attacks that are now permitted from the patch to *that*.

      Rinse and repeat.

      *Whereinhell* are my sharks?! I need them for my moat around my office, I already have the lasers ready for attachment.

      Oh well, at least I still have my primary method, the elevator that "mistakenly" drops off its occupants to the incinerator... :)

      As well as the land mines along the corridor to my office.

      And the electrified telephones.

      And I'm no longer a BOFH, I'm now an Information Assurance guy.

      Which means I have a bit larger budget, in some areas. Physical security was paramount, so I included a gamma ray fountain about two meters from my door.

      Which, for anti-terrorism purposes is both bullet proof, anti-armor missile resistant and has a lead "deadening zone" to absorb the impact energies (suggested by myself, while a cute white cat was perched upon my lap).

      Those were stop-gap measures, largely due to a lack of Daleks to help secure the premises. Bloody damned time war shortages, when will they end?

  2. Tzhx

    >> Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

    >>A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.

    You had ONE job...

    1. Phil W

      Don't worry, little Bobby Tables will patch it for you.

  3. Anonymous Coward
    Anonymous Coward

    Ha Ha

    only laughing because I had a long day+nighter the other day, manually checking by eye 730 SQL's were ALL prepared + no direct values in SQL text etc.

    So I can laugh with pride knowing that ive just done the work on our system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ha Ha, checking by eye 730 SQL's

      Wow, that is a large number of sqls!! Our systems only have the one....

  4. Stretch

    "Interesting"

    ""The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting"

    Interesting use of "interesting". Is this that special "I don't want to libel them" meaning of interesting that actually means "fucking laughably shameful"?

    1. psychonaut

      Re: "Interesting"

      i think thats interesting spelt "w-h-a-t-a-b-u-n-c-h-o-f-c-u-n-t-s"

      1. entropypawsed

        Re: "Interesting"

        A very poor choice in derogatory name calling. How about something not degrading to 1/2 of humanity, please?

        1. Havin_it

          @entropypawsed Re: "Interesting"

          Right, I delayed all day deciding whether to bite, but fuck it:

          I think you're confusing American English and GB English usage. I realise that "cunt" is mainly used towards women in the US, but round these parts it's entirely unisex and without misogynistic connotation. No British man who calls another a cunt is making an accusation of femininity, I promise you.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Interesting"

      """The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting""

      But surely that's pretty standard for OSS. Tell everyone about the hole, and then worry about patching it properly later. The BASH bug springs to mind...

      1. Anonymous Coward
        Anonymous Coward

        Re: "Interesting"

        Whereas closed source you don't "worry about patching it properly later" you leave it wide open and take bids for the access.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Interesting"

          "Whereas closed source you don't "worry about patching it properly later" you leave it wide open and take bids for the access."

          Got to be better than having the source code available so that ANYONE can find the holes and exploit them. Clearly public availability of the code means jack for public benefit as the major flaws in SSL and BASH have recently demonstrated - that have been out there for years....

      2. Anonymous Coward
        Anonymous Coward

        Re: "Interesting"

        Yeah, and that may be true, but MS! Yeah? Those bastards.

  5. Joe Drunk
    Pint

    A Giant Toast

    to all those of you who not only weathered the long night addressing this vulnerability but find that weathering long nights and weekends fixing/maintaining/upgrading systems to be a regular course of your job. All too often this sacrifice goes under appreciated and soon forgotten except by those of us with first-hand experience.

    I am no longer a member of this club but have vivid memories of an era where a strong addiction to caffeine was a requirement while regular sleep cycles were grounds for termination.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Giant Toast

      "to all those of you who not only weathered the long night addressing this vulnerability but find that weathering long nights and weekends fixing/maintaining/upgrading systems to be a regular course of your job"

      Ouch - not here. With a few minutes work I just sent this months security patches out to several hundred Windows desktops and a few hundred Windows and Linux servers - I thought pretty much everyone had SCCM these days - but apparently not.

  6. This post has been deleted by its author

  7. Charlie Clark Silver badge
    WTF?

    So wrong

    From the report this is the actually executed code:

    db_query("SELECT * FROM {users} where name IN (:name)",

    array(':name'=>array('user1','user2')));

    Why the fuck is the query still not running by preparing the statement first and letting the DB worry about the parameters?

    God, PHP is so fucking awful!

    PS. sorry for the whitespace but El Reg won't wrap the lines for me.

    1. Nick Ryan Silver badge

      Re: So wrong

      PHP is not at fault here, this is the POS database abstraction layer in Drupal that is at fault here. It was designed by a technical advocate who AFAICT never had to use it in real situations and was (is) therefore utterly useless and unwieldly in many situations. It was a noble thought, but fatally flawed from the start.

      The PHP MySQL libraries are actually quite clever when it comes to working with prepared statements and queries and optimising their use across multiple, often independent, connections.

  8. wolfetone Silver badge

    The White House won't be happy about this, but then again neither will the "terrorists" who could've exploited it. If they had known, obviously.

  9. theOtherJT

    As someone who just finished a major site migration onto Drupal 7 I'm not even slightly surprised. This was my favorite:

    https://www.drupal.org/node/2001308

    Files attached to nodes arbitrarily deleted if you have the "display" box unchecked and make the mistake of previewing edits before saving them.

    It's not just core you need to worry about either, you need to think about all those modules you require to even do something as simple as manage attached media files. It's totally possible for some idiot module developer to completely bypass all the "security" that's built into core, and it seems like half of them did.

  10. i0n1c

    This vuln was discovered by David Garcia, not SektionEins as inaccurately reported

    "The fact that this vulnerability was independently sitting in the public domain in Drupal’s public bug tracking database since November 2013 is interesting," Horton said. "They appear to have overlooked the severity and it took an independent researcher to separately find it and bang the security drum in order for people to take notice."

    When the vulnerability was discovered months ago and had already been publicly reported (https://www.drupal.org/node/2146839), you shouldn't be crediting SektionEins ("the German security firm that discovered the flaw") with the finding.

    What evidence do you have that it was "independently" discovered by them, when it's already in public domain?

    Would you believe me if I told you that I independently discovered E=mc^2 and wasn't aware that Einsten had already found that out?

    Don't fall for the hype that SektionEins is trying to drum up around this...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019