Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Drupal- Execute arbitrary code commands - Remote unauthenticated

 

Systems Affected


UNIX variants (UNIX, Linux, OSX)
Windows

Threat Level


High


Overview


The Drupal team has stated: "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection." Additionally they had advised: "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC that is 7 hours after the announcement."


Description


This Public Service Announcement is a follow up to SA-CORE-2014-005 Drupal core - SQL injection [3]. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection [4]. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

*Simply updating to Drupal 7.32 will not remove backdoors.*

If you have not updated or applied this patch [5], do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn't do it, which can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.


Impact



Solution/ Workarounds


Patch/Upgrade


References


https://www.auscert.org.au/render.html?it=21014


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.