[arch-security] [Arch Linux Security Advisory ASA-201410-7] drupal: pre-auth sql injection
Arch Linux Security Advisory ASA-201410-7 ========================================= Severity: Critical Date : 2014-10-16 CVE-ID : CVE-2014-3704 Package : drupal Type : SQL injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package drupal before version 7.32-1 is vulnerable to a remote, non-authenticated, SQL injection. Resolution ========== Upgrade to 7.32-1. # pacman -Syu "drupal>=7.32-1" The problem has been fixed upstream in version 7.32. Workaround ========== None. Description =========== Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. This vulnerability has been marketed as drupageddon by the discoverer, Sektion Eins. Impact ====== A remote, non-authenticated, attacker can alter or drop the drupal database with a single HTTP request. This can be escalated to code execution. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704 https://www.drupal.org/SA-CORE-2014-005 https://bugs.archlinux.org/task/42388 https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerabili...
participants (1)
-
Remi Gacogne