[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability

Fernando Duran liberosec at yahoo.ca
Thu Oct 16 09:39:55 EDT 2014 

I don't know anything about Drupal, I'm very sure your advice is the way to go. Just letting people know of a worst vulnerability (remote code execution by anyone) for a very popular web app.
 
--------------------- 
Fernando Duran 
http://www.fduran.com



> On Thursday, October 16, 2014 9:33 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> > Please note that Drupal 7 is vulnerable, but Drupal 6 is not.
> 
> While changing line 739 directly will certainly make your site secure
> against the vulnerability, editing the code directly is not
> recommended because of other reasons.
> 
> For example, doing so may introduce errors inadvertently because of
> typos, and will not change the version number so you get bogus
> security warnings, which you will ignore then a real security version
> comes up and you don't upgrade, and be vulnerable.
> 
> Applying the patch takes care of the typo concern
> The best way to upgrade is via drush:
> 
> cd /where/drupal/is/installed
> drush up drupal
> 
> Much easier than other methods.
> 
> On Thu, Oct 16, 2014 at 8:52 AM, Fernando Duran <liberosec at yahoo.ca> 
> wrote:
>>  For Drupal users, yesterday's advisory:
>> 
> https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
>> 
>>  copy-pasting from a forum:
>> 
>>  The patch is only one line[1], so if you're scared to update Drupal for 
> fear of breaking things you can just patch the vulnerable part.
>>  In this file:
>>      includes/database/database.inc
>>  Replace line 739:
>>      foreach ($data as $i => $value) {
>>  With the patched code:
>>      foreach (array_values($data) as $i => $value) {
>> 
>>  [1] https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
>> 
>>  ---------------------
>>  Fernando Duran
>>  http://www.fduran.com
>> 
>> 
>>  _______________________________________________
>>  kwlug-disc mailing list
>>  kwlug-disc at kwlug.org
>>  http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
> 
> 
> -- 
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple,
> and wrong." -- H.L. Mencken
> 
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list