On October 15, 2014, Drupal Security Team published a security advisory for a new Drupal SQL injection vulnerability (SA-CORE-2014-005 - Drupal core - SQL injection).
The vulnerability was discovered in the database abstraction library that is serving as an input sanitizing facility. This vulnerable code is supposed to check user’s input before the data is pushed to the database for execution. For example, a web site could receive a zip code in an HTML form field, assemble an SQL request to the database and execute it against the database. If a user or an automated script would enters something similar to this:
“10004; delete from table customers”
the second part of the input after “;” might be executed against the database as a separate execution batch. Such technique is called SQL injection.
The vulnerable library is a part of Drupal code that receives such user input and is responsible to make sure that the secondary part will not be injected into SQL execution. However the vulnerable logic in the sanitizing code allows specially crafted strings to go through the sanitizing logic and being executed against the database.
What is the risk? Here are some examples what hackers can do:
- Someone can just execute delete statement against your database deleting your data.
- Someone can craft SQL statements that would pull data out of your database and send the data back to the hacker. To find out more about such techniques contact Digital Edge Security team at: https://www.digitaledge.net/Contact-SendEmail.aspx
- Someone can craft a SQL statement that would insert a virus into your website. To find out more about such techniques contact Digital Edge Security team at: https://www.digitaledge.net/Contact-SendEmail.aspx
- Someone can craft a SQL statement that would request database engine to elevate its privileges and infect the whole operating system providing hacker with the full control to your servers. To find out more about such techniques please contact Digital Edge security team: https://www.digitaledge.net/Contact-SendEmail.aspx
A possibility of automatically scanning web sites finding vulnerability and injecting malicious code gives hackers possibility to infect many servers in short period of time. Such injection of malicious code can stay on servers running Drupal even after patch is applied.
It is important to make sure that server is not infected and your websites do not contain injected viruses or malicious java code after the patching.
Contact Digital Edge security team if you have any questions or concerns.