Drupal Critical Security Announcement

Posted by
Will Heinemann on 31 Oct, 2014

Image credit: Gábor Hojtsy

Agencies, freelancers, Drupalers of all kinds have faced a bad fortnight. If you’re involved in Drupal, digital, or you’re a BBC News reader, you’ll be aware of the SQL injection bug that’s compromised security for many of the world’s websites built with the CMS.


What has happened?

As expected, our incredibly proactive and dedicated global Drupal community and security team has been on the case, efficiently working together to move on from the issues the second half of this month has brought. The Drupal security team been extremely clear about the problem. By taking a matter-of-fact stance they’ve not risked any delay to clearing up the situation. Here’s a quick summary of the SQL injection bug to answer my first question, before we run through the solutions:

  1. It’s been titled SA-CORE-2014-005
  2. Clearly the bug has existed since before mid October, though it was unlikely to have been exploited much before then
  3. On 15th October, Drupal.org announced SA-CORE-2014-005 as highly critical
  4. On 29th October, Drupal.org put out a public service announcement stating that if you had not patched before seven hours of the announcement on 15th October, you should assume your sites to be compromised


What does it mean?

The Drupal.org announcement on 15th October states:

“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

It’s only those using Drupal 7 (prior to 7.32) that have potentially been affected.


What is the Drupal community doing about it?

The Drupal security team, made up of 43 official members, have been heavily on the case. They’ve been working directly on fixes themselves and have pushed out all necessary information and guidelines to the Drupal community. The security announcements that were issued were very helpful to us as an agency; the clear and easily accessible information allowed us to get our clients’ sites back in good health as soon as possible.

It’s not just Drupal.org that have put out important information and hosted conversations about it. The Drupal Reddit group have raised questions and contributed information that all helps to restore the Drupal balance.

Some more useful discussions:

  1. Sucuri blog
  2. Volexity
  3. Your Drupal site got hacked. Now what?
  4. Drupalgeddon
  5. Acquia blog

Hacking isn’t a modern occurrence – even morse code was messed around withback in the early 1900s. Though lately there seems to have been surge: Apple iCloud and SnapChat, two huge and extremely widely used software systems, have been really badly affected.

Unfortunately there are people who take advantage of situations like this and push them to see the worst they can do. The difference with Drupal (and I’m not just saying this as a Drupal agency employee!) is that it’s made by the people who use it and love it. It’s open source and relies on volunteers to contribute to make it what it is. And this support is in action constantly.

When everything goes well; it’s the community that has contributed to its success. When big or small issues crop up, we all come together to get fixing and advising: the community has united to solve it.

Has your site been affected by the SQL injection bug? Get in touch if you need to know more about solutions and what to do next.

Tags: Drupal, Online Communities, Drupal community, Drupal.org, Enterprise, business, Security