Drupal Association fixes critical SQL injection flaw

The Drupal Association - a non-profit tasked with fostering and supporting the Drupal open-source content management framework coded in PHP - has patched a critical SQL injection vulnerability in version 7.

'Union-based' SQL injection vulnerability was responsible for the Yahoo! Voices hack
'Union-based' SQL injection vulnerability was responsible for the Yahoo! Voices hack
The vulnerability, which was revealed by SektionEins earlier this week, reportedly allows arbitrary code execution, caused - ironically enough - by access to an API designed to help prevent against SQL injection attacks.

According to Sektion Eins, the vulnerability is critical and a full SQL injection that results in total control and code execution of Web site.

The Drupal Association, meanwhile, says that Drupal 7's database abstraction API is designed to ensure that queries executed against the database are sanitised to prevent SQL injection attacks.

"A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks," says the advisory.

"Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated. Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information," the association adds.

According to Guillermo Lafuente, a security consultant with MWR InfoSecurity, Drupal uses prepared statements in all its SQL queries, so it is surprising that such vulnerability was found.

The issue, he says, was found during a code review audit performed by Stefan Horst for a client and therefore it shows that the Drupal community has failed to carry out sufficient audits of its codebase to ensure these vulnerabilities are not present.

Surprising


"What it is even more surprising is that the issue was reported to the Drupal community in November 2013, and the community appears to have failed to react to the reported security vulnerability," he explained.

Lafuente says that encrypting the data in a database is not going to help preventing SQL injection vulnerabilities.

"However, if the content of the database are encrypted then an attacker exploiting the issue who goes on to extract database content will not be able to see the cleartext data. Therefore encrypting the data in your database can help you to greatly reduce the impact of a SQL injection vulnerability," he said.

"Administrators should update their Drupal installations as soon as possible. It is likely that hackers will start widely exploiting the issue now that the issue is publicly known," he added.

Tim Erlin, a fellow security researcher with Tripwire, said that there is no doubt that someone in the industry will humorously point out the irony in a SQL injection vulnerability in a component designed to prevent that very attack, but program code, he explained, is program code and vulnerabilities are non-discriminatory.

"Attacks like this, that exploit a valid channel to data, demonstrate why encrypted data isn't a panacea for security. An encrypted database is still designed to be accessed via SQL, and exploiting the designed method of access will still deliver the goods to the attacker. You can't simply encrypt it and forget it," he said.

Thick and fast

Andrew Avanessian, EVP of consultancy and technology services with Avecto, meanwhile, said that high-profile vulnerabilities are coming thick and fast, with this latest one affecting a platform behind millions of Web sites. The sheer scale of the problem, he added, makes it an issue that IT departments and developers need to be aware of.

"It's another reminder of the importance of a defence in depth approach to security. A detective based security strategy (i.e. anti-virus only and the like) would be completely vulnerable to this bug, but if businesses take proactive, practical steps - such as restricting administrative privileges, only allowing known good applications to execute and isolating online content - they'd be in a much stronger position to stop any exploits," he explained.

Gavin Millard, Tenable's technical director for EMEA, picked up on the scale of he problem, saying that, with approximately 900,000 Web sites now running vulnerable versions of Drupal, the threat vector is immense and action has to be taken.

"While no reports of this flaw being exploited have been reported, you can be sure that won't remain true if not addressed immediately.  Proof of concept code is already surfacing to take advantage of this significant flaw. Network owners need to act fast - scanning their infrastructures for Drupal, applying the patch released by the developers or updating to the latest version to make sure they're safe from this vulnerability," he said.

Sign up to our newsletters