[kwlug-disc] Drupal - pre Auth SQL Injection Vulnerability

Khalid Baheyeldin kb at 2bits.com
Fri Oct 31 09:54:41 EDT 2014


As a followup ...

Those who did not patch their Drupal 7 sites within hours of the
vulnerability disclosure, could have been compromised, even if they
were patched later.

https://www.drupal.org/PSA-2014-003

This tool should help you investigate whether you site has been
compromised or not

https://www.drupal.org/project/drupalgeddon

If you are running Drupal 6, your site is not vulnerable.

On Fri, Oct 17, 2014 at 9:53 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> Here is the FAQ on the SQL injection exploit.
>
> https://www.drupal.org/node/2357241
>
> There are more exploits by the day.
>
> Many of them are try to insert an entry into the menu_router that maps
> to a PHP eval that retrieves a remote PHP file, and tries to stash it
> something under /modules. Then a GET request to the menu router path
> from a Cookie should execute the PHP.
>
> If your server makes only the "files" directory within Drupal writable
> to the web server user, not the entire Drupal itself, then you are
> safe, since they can't write a PHP file where it can be executed. A
> simple drush cc all or drush cc menu will clear the exploit attempt
> from the menu table.
>
> Note that they do all the above with POST variables, not in the URL,
> and access it with Cookies, so nothing gets logged in the Apache log.
>
> Some of the exploits fix the SQL injection as well! This is not
> altruistic, but to prevent other malicious users from exploiting the
> same site.
>
> The exploit about creating an admin user is more concerning, since it
> is under the radar, and does not depend on writable Drupal
> directories.
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple,
> and wrong." -- H.L. Mencken



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple,
and wrong." -- H.L. Mencken





More information about the kwlug-disc mailing list