[arch-security] [Arch Linux Security Advisory ASA-201410-7] drupal: pre-auth sql injection
rgacogne-arch at coredump.fr
Thu Oct 16 12:09:41 UTC 2014
Arch Linux Security Advisory ASA-201410-7
Date : 2014-10-16
CVE-ID : CVE-2014-3704
Package : drupal
Type : SQL injection
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package drupal before version 7.32-1 is vulnerable to a remote,
non-authenticated, SQL injection.
Upgrade to 7.32-1.
# pacman -Syu "drupal>=7.32-1"
The problem has been fixed upstream in version 7.32.
Drupal 7 includes a database abstraction API to ensure that queries
executed against the database are sanitized to prevent SQL injection
A vulnerability in this API allows an attacker to send specially crafted
requests resulting in arbitrary SQL execution. Depending on the content
of the requests this can lead to privilege escalation, arbitrary PHP
execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This vulnerability has been marketed as drupageddon by the discoverer,
A remote, non-authenticated, attacker can alter or drop the drupal
database with a single HTTP request. This can be escalated to code
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security