More than one million websites are running on Drupal worldwide. So when a security threat is announced regarding this popular open-source content management platform, website administrators around the globe start to scramble.
Websites such as the San Francisco Examiner, NBC Sports, Hollywood Reporter, Economist, Columbia and Penn State universities, Men’s Health, and many more are among Drupal’s top websites, according to TopDrops.org.
Drupal warned users about a SQL Injection Flaw on October 15, 2014 and provided a patch. However, if the fix was not installed within a seven hour period on that day then the Drupal users are most likely out of luck and should assume their website has been compromised.
Injection flaws are at the top of the Open-Source Web Application Security Project (OWASP) list of the Top 10 biggest web vulnerabilities. These vulnerabilities essentially send untrusted data to an interpreter as part of a command or query. In Drupal’s case, its database abstraction API that was designed to protect against SQL injection attacks had a flaw. It enabled hackers to send unauthorized requests that resulted in arbitrary SQL execution. In a Drupal security advisory, it says that this flaw can lead to privilege escalation, arbitrary PHP execution or other attacks.
Drupal warns that updating to Drupal 7.32 won’t solve the problem; however, it is the first step you should take to fix the vulnerability. If you didn’t make that seven hour window on October 15th, it is most likely the automated attacks copied all of your data from your website and it is unclear how these cyber criminals will use it. If you go searching for signs of an attack, Drupal also said it is likely there will be no evidence showing an attack took place. In fact, sources say that hackers have even been able to install the patch on Drupal sites themselves to prevent other hackers from exploiting those specific sites.
The outlook does not look good for the Drupal community. Experts are suggesting that websites that have been affected may have to be rebuilt from scratch. An undertaking that is time consuming and costly. We recommend checking out the Drupal Public Service Announcement (PSA-2014-003) from October 29 and follow their suggested steps to recovery.
Like many companies that have experienced similar security incidents, Drupal did not act immediately. The vulnerability was officially discovered in September by a German security firm that was hired to check for weaknesses in the Drupal software. Although, reports say that this specific SQL injection flaw has been on Drupal’s 40-person volunteer security team’s list of potential vulnerabilities for almost a year. The Drupal customer that hired the German security firm was following industry best practices, by conducting application security testing on a solution that they purchased to identify any potential vulnerabilities that may put their information assets and those of their customers at risk.
As these security incidents continue to occur, they bring heightened awareness to the fact that organizations need to take security precautions in every facet of their operations, especially with their IT environments. Code Dx offers software assurance solutions to help ensure that the applications you build or buy are void of any vulnerabilities. For more information on Code Dx, contact us at firstname.lastname@example.org or at (631) 759-3993.