A vulnerability has been reported in Drupal 7 core that could allow for SQL injection. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code in SQL or PHP, and privilege escalation. Successful exploitation could allow an attacker to control the website; view, change, delete data; or perform other activities.
- Drupal core version 7 prior to 7.32
A vulnerability has been discovered in the Drupal 7 core. Specifically, this vulnerability is in the database abstraction API that sanitizes user-supplied data before using it in SQL queries. An attacker could create specially crafted requests resulting in arbitrary code execution (specifically PHP code) or privilege escalation. (CVE-2014-3704)
We recommend the following actions be taken:
- Update to the latest version of Drupal core.
- If unable to update to the latest version, apply the appropriate patch found on the Drupal website to the affected site’s database.inc file.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
- Do not open email attachments from unknown or untrusted sources
- Consider implementing file extension whitelists for allowed email attachments