[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability
Fernando Duran
liberosec at yahoo.ca
Thu Oct 16 08:52:57 EDT 2014
For Drupal users, yesterday's advisory:
https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
copy-pasting from a forum:
The patch is only one line[1], so if you're scared to update Drupal for fear of breaking things you can just patch the vulnerable part.
In this file:
includes/database/database.inc
Replace line 739:
foreach ($data as $i => $value) {
With the patched code:
foreach (array_values($data) as $i => $value) {
[1] https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
---------------------
Fernando Duran
http://www.fduran.com
More information about the kwlug-disc
mailing list