[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability

[Khalid Baheyeldin]

Please note that Drupal 7 is vulnerable, but Drupal 6 is not.

While changing line 739 directly will certainly make your site secure
against the vulnerability, editing the code directly is not
recommended because of other reasons.

For example, doing so may introduce errors inadvertently because of
typos, and will not change the version number so you get bogus
security warnings, which you will ignore then a real security version
comes up and you don't upgrade, and be vulnerable.

Applying the patch takes care of the typo concern
The best way to upgrade is via drush:

cd /where/drupal/is/installed
drush up drupal

Much easier than other methods.

On Thu, Oct 16, 2014 at 8:52 AM, Fernando Duran <liberosec at yahoo.ca> wrote:
> For Drupal users, yesterday's advisory:
> https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
>
> copy-pasting from a forum:
>
> The patch is only one line[1], so if you're scared to update Drupal for fear of breaking things you can just patch the vulnerable part.
> In this file:
>     includes/database/database.inc
> Replace line 739:
>     foreach ($data as $i => $value) {
> With the patched code:
>     foreach (array_values($data) as $i => $value) {
>
> [1] https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
>
> ---------------------
> Fernando Duran
> http://www.fduran.com
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple,
and wrong." -- H.L. Mencken