Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Did Drupal Drop The Ball? Users Who Didn't Update Within 7 Hours 'Should Assume They've Been Hacked'

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 30 Oct 2014 14:38:38 +0000 (UTC)
http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/

By Thomas Fox-Brewster
Forbes.com
10/30/2014
Hackers are remarkably quick off the mark. Drupal, the creator of the eponymous content management system that millions use the world over, now knows that all too well. In mid-October it patched a SQL injection flaw, which could be exploited by tricking a database into coughing up data from its tables and columns using the SQL language. But yesterday, it said that thanks to an automated attack that hit up as many Drupal sites containing the vulnerability as quickly as possible, anyone who didn’t update to version 7.32 within seven hours of its release should assume they’ve been hacked.
The bombshell was officially dropped in an advisory late yesterday, ranked ‘Highly Critical’. And for all those users concerned, updating to version 7.32 or applying the patch fixes the vulnerability but will not fix a compromised website, the warning read. It gets a little worse, as Michael Hess HES -1.01% of the Drupal security team notes: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
Hackers who broke into Drupal-based sites may have done all kinds of nasty things, from installing backdoors to simply grabbing all data on that site. They might even be able to use their leverage to compromise other websites and apps hosted on the same server, escalating their attacks. Put simply, this could be catastrophic for victims.
SQL injection is one of the most commonly used attack methods on the planet. Tools like slqmap automate such attacks requiring little technical skill of the hacker, yet lead to devastating results. 

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: