SQL Injection Vulnerability in Drupal could allow for Remote Code Execution

ITS Advisory Number: 
2014-091
Date(s) Issued: 
Thursday, October 16, 2014
Subject: 
SQL Injection Vulnerability in Drupal could allow for Remote Code Execution
Overview: 

A vulnerability has been reported in Drupal 7 core that could allow for SQL injection. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code in SQL or PHP, and privilege escalation. Successful exploitation could allow an attacker to control the website; view, change, delete data; or perform other activities.

Systems Affected: 
  • Drupal core version 7 prior to 7.32
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in the Drupal 7 core. Specifically, this vulnerability is in the database abstraction API that sanitizes user-supplied data before using it in SQL queries. An attacker could create specially crafted requests resulting in arbitrary code execution (specifically PHP code) or privilege escalation. (CVE-2014-3704)

Actions: 

We recommend the following actions be taken:

  • Update to the latest version of Drupal core.
  • If unable to update to the latest version, apply the appropriate patch found on the Drupal website to the affected site’s database.inc file.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
  • Do not open email attachments from unknown or untrusted sources
  • Consider implementing file extension whitelists for allowed email attachments
References: 

Drupal:
https://www.drupal.org/SA-CORE-2014-005 

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704

Security Focus:

http://www.securityfocus.com/bid/70595