[Security-news] SA-CORE-2014-005 - Drupal core - SQL injection
security-news at drupal.org
security-news at drupal.org
Wed Oct 15 16:04:14 UTC 2014
View online: https://www.drupal.org/SA-CORE-2014-005
* Advisory ID: DRUPAL-SA-CORE-2014-005
* Project: Drupal core [1]
* Version: 7.x
* Date: 2014-Oct-15
* Security risk: 20/25 ( Highly Critical)
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
Drupal 7 includes a database abstraction API to ensure that queries executed
against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted
requests resulting in arbitrary SQL execution. Depending on the content of
the requests this can lead to privilege escalation, arbitrary PHP execution,
or other attacks.
This vulnerability can be exploited by anonymous users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* CVE-2014-3704
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 7.x versions prior to 7.32.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal core 7.32 [3].
If you are unable to update to Drupal 7.32 you can apply this patch [4] to
Drupal's database.inc file to fix the vulnerability until such time as you
are able to completely upgrade to Drupal 7.32.
Also see the Drupal core [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Stefan Horst
-------- FIXED BY
------------------------------------------------------------
* Stefan Horst
* Greg Knaddison [6] of the Drupal Security Team
* Lee Rowlands [7] of the Drupal Security Team
* David Rothstein [8] of the Drupal Security Team
* Klaus Purer [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security Team [10]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
We've prepared a FAQ on this release. Read more at
https://www.drupal.org/node/2357241.
The Drupal security team can be reached at security at drupal.org or via the
contact form at
https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/drupal-7.32-release-notes
[4]
http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6bdb777f08&SA-CORE-2014-005
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/david_rothstein
[9] https://www.drupal.org/u/klausi
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list