Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 620
Alerts This Week
Warning Icon 1 620

Arch Linux: 202303-5 Important: drupal XSS Vulnerability Detected

Archlinux Large Esm H446
The package drupal before version 7.32-1 is vulnerable to a remote, non-authenticated, SQL injection.
Arch Linux Security Advisory ASA-201410-7
========================================
Severity: Critical
Date    : 2014-10-16
CVE-ID  : CVE-2014-3704
Package : drupal
Type    : SQL injection
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package drupal before version 7.32-1 is vulnerable to a remote,
non-authenticated, SQL injection.

Resolution
=========
Upgrade to 7.32-1.

# pacman -Syu "drupal>=7.32-1"

The problem has been fixed upstream in version 7.32.

Workaround
=========
None.

Description
==========
Drupal 7 includes a database abstraction API to ensure that queries
executed against the database are sanitized to prevent SQL injection
attacks.
A vulnerability in this API allows an attacker to send specially crafted
requests resulting in arbitrary SQL execution. Depending on the content
of the requests this can lead to privilege escalation, arbitrary PHP
execution, or other attacks.
This vulnerability can be exploited by anonymous users.

This vulnerability has been marketed as drupageddon by the discoverer,
Sektion Eins.

Impact
=====
A remote, non-authenticated, attacker can alter or drop the drupal
database with a single HTTP request. This can be escalated to code
execution.

References
=========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://bugs.archlinux.org/task/42388
https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html