[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability

Khalid Baheyeldin kb at 2bits.com
Thu Oct 16 09:47:40 EDT 2014 

Absolutely ...

This is indeed serious. It allows SQL injection which means virtually
anything can be done.

For people to realize how serious it is, see this proof of concept script

http://pastebin.com/nDwLFV3v

It changes the name of your administrator user (uid 1) to admin and
sets a new password for it. Instant admin privileges on an unpatched
site.

http://www.reddit.com/r/netsec/comments/2jbu8g/sacore2014005_drupal_core.

There are real exploits in the wild, like this one

https://twitter.com/outlandishjosh/status/522626141794738176


On Thu, Oct 16, 2014 at 9:39 AM, Fernando Duran <liberosec at yahoo.ca> wrote:
> I don't know anything about Drupal, I'm very sure your advice is the way to go. Just letting people know of a worst vulnerability (remote code execution by anyone) for a very popular web app.
>
> ---------------------
> Fernando Duran
> http://www.fduran.com
>
>
>
>> On Thursday, October 16, 2014 9:33 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>> > Please note that Drupal 7 is vulnerable, but Drupal 6 is not.
>>
>> While changing line 739 directly will certainly make your site secure
>> against the vulnerability, editing the code directly is not
>> recommended because of other reasons.
>>
>> For example, doing so may introduce errors inadvertently because of
>> typos, and will not change the version number so you get bogus
>> security warnings, which you will ignore then a real security version
>> comes up and you don't upgrade, and be vulnerable.
>>
>> Applying the patch takes care of the typo concern
>> The best way to upgrade is via drush:
>>
>> cd /where/drupal/is/installed
>> drush up drupal
>>
>> Much easier than other methods.
>>
>> On Thu, Oct 16, 2014 at 8:52 AM, Fernando Duran <liberosec at yahoo.ca>
>> wrote:
>>>  For Drupal users, yesterday's advisory:
>>>
>> https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
>>>
>>>  copy-pasting from a forum:
>>>
>>>  The patch is only one line[1], so if you're scared to update Drupal for
>> fear of breaking things you can just patch the vulnerable part.
>>>  In this file:
>>>      includes/database/database.inc
>>>  Replace line 739:
>>>      foreach ($data as $i => $value) {
>>>  With the patched code:
>>>      foreach (array_values($data) as $i => $value) {
>>>
>>>  [1] https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
>>>
>>>  ---------------------
>>>  Fernando Duran
>>>  http://www.fduran.com
>>>
>>>
>>>  _______________________________________________
>>>  kwlug-disc mailing list
>>>  kwlug-disc at kwlug.org
>>>  http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple,
>> and wrong." -- H.L. Mencken
>>
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple,
and wrong." -- H.L. Mencken

More information about the kwlug-disc mailing list