November 3, 2014 by

Highly Critical Drupal SQL Injection Vulnerability Affects Millions of Websites

A serious vulnerability in Drupal was re-announced recently. The vulnerability carries the advisory ID of SA-CORE-2014-005 and applies to all Drupal sites running version 7.xx. According to the Public Service Announcement, vulnerable, un-patched sites running Drupal, started getting compromised within about 7 hours of the original vulnerability announcement on October 15, 2014.

Drupal observed vulnerable websites getting attacked starting from 7.32 hours after the initial statement, which did not allow for a lot of time to patch the site. Also, simply patching the site now will not help if your site was already compromised, as the attackers might have left backdoors for later use. There is no way to be certain that every backdoor was found and it is advised restore the affected website using a backup, or even to start from scratch.

According to Mark Stockley of Sophos, of the Internet’s 1 billion websites, somewhere between 1.9% and 5.1% use Drupal. Of these, somewhere between 65%-84% use the affected Drupal 7.xx. Based on this, he estimates that the number of affected websites can be as high as 12 million.

It is advised for every site affected to follow these steps to restore your website using a backup:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

For more information, you might be interested in reading the official FAQ on the vulnerability.

Enjoyed this post? Subscribe to our newsletter and don’t miss a thing!


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

40% of Android Devices at Risk of Screen Hijack Exploit

Security researchers have uncovered a significant flaw in Google’s popular mobile platform...

Read more arrow_forward

Is your Server Compromised? Use our Free Tool to Find out.

  Have you been the unfortunate victim of a security breach? Do you fear the possibility of...

Read more arrow_forward

OAuth 2.0 Claims it is Still Secure, “If Used Properly”

In the aftermath of the revelation that a billion mobile apps could be hijacked through a...

Read more arrow_forward