[arch-security] [Arch Linux Security Advisory ASA-201410-7] drupal: pre-auth sql injection

Remi Gacogne rgacogne-arch at coredump.fr
Thu Oct 16 12:09:41 UTC 2014


Arch Linux Security Advisory ASA-201410-7
=========================================

Severity: Critical
Date    : 2014-10-16
CVE-ID  : CVE-2014-3704
Package : drupal
Type    : SQL injection
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package drupal before version 7.32-1 is vulnerable to a remote,
non-authenticated, SQL injection.

Resolution
==========

Upgrade to 7.32-1.

# pacman -Syu "drupal>=7.32-1"

The problem has been fixed upstream in version 7.32.

Workaround
==========

None.

Description
===========

Drupal 7 includes a database abstraction API to ensure that queries
executed against the database are sanitized to prevent SQL injection
attacks.
A vulnerability in this API allows an attacker to send specially crafted
requests resulting in arbitrary SQL execution. Depending on the content
of the requests this can lead to privilege escalation, arbitrary PHP
execution, or other attacks.
This vulnerability can be exploited by anonymous users.

This vulnerability has been marketed as drupageddon by the discoverer,
Sektion Eins.

Impact
======

A remote, non-authenticated, attacker can alter or drop the drupal
database with a single HTTP request. This can be escalated to code
execution.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://bugs.archlinux.org/task/42388
https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141016/473761d9/attachment.bin>


More information about the arch-security mailing list