Drupal 7.x SQL Injection Vulnerability (CVE-2014-3704)

October 15, 2014

Summary

"Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. This vulnerability can be exploited by anonymous users." [1]
 
This is a critical vulnerability that can be exploited remotely without authentication. Upgrade your Drupal 7 instances immediately.
 

Impact

Depending on the content of the requests, successful attacks can lead to privilege escalation, arbitrary PHP execution, and more.

Vulnerable

  • Drupal core 7.x versions prior to 7.32
  • Hosted Drupal instances at providers such as Pantheon and Acquia

Recommendations

References