Drupal is a popular open source content management system (CMS). The CMS platform is used by hundreds of thousands of organisations globally and has one of the largest user communities.
On 15th October 2014, a pre-authentication SQL injection vulnerability (CVE-2014-3704) was disclosed after a code audit of Drupal extensions. The vulnerability was found in the way Drupal handles prepared statements meaning a malicious user can inject arbitrary SQL queries and control the Drupal installation.
Current versions affected by this include 7.x prior to 7.32. A Drupal security announcement stated “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC”, which is 7 hours after the announcement.
The vulnerability allows an unauthenticated attacker to insert SQL queries into the “name” parameter which will be executed by the backend database, successful exploitation of this could allow complete control of the Drupal site through code execution.
The initial advisory detailed that the vulnerability could be exploited within the login form for content editors and administrators. The vulnerability is considered easy to exploit with a CVSS score of 7.5 (HIGH – /AV:N/AC:L/Au:N/C:P/I:P/A:P).
The following POST request shows the vulnerable “name” parameter on the login page:
POST /?q=node&destination=node HTTP/1.1
The function “expandArguments” in the Drupal core which is specifically vulnerable is found in the “./includes/database.inc” file. This vulnerable function is called before the prepared statement is executed. Further information can be found here with a full technical write-up of how the vulnerability works.
AppCheck NG Example
The AppCheck NG Drupal Plugin will insert a “sleep” statement into the login request causing a time delay in the webservers’ response:
The AppCheck Web Application and Infrastructure vulnerability scanner has already been updated with a plugin to detect the flaw. Infrastructure and Web Applications will also be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting.
No software to download or install.
Contact us or call us 0113 887 8380