quote:
SA-CORE-2014-005 - Drupal core - SQL injection
Posted by Drupal Security Team on October 15, 2014 at 4:02pm
Advisory ID: DRUPAL-SA-CORE-2014-005
Project: Drupal core
Version: 7.x
Date: 2014-Oct-15
Security risk: 25/25 (Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All
Vulnerability: SQL Injection
Description
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.
Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: »www.drupal.org/PSA-2014-003
CVE identifier(s) issued
CVE-2014-3704
Versions affected
Drupal core 7.x versions prior to 7.32.
Solution
Install the latest version:
If you use Drupal 7.x, upgrade to Drupal core 7.32.
If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.
»
www.drupal.org/SA-CORE-2014-005If you use it might I suggest updating.
Blake