Agencies, freelancers, Drupalers of all kinds have faced a bad fortnight. If you’re involved in Drupal, digital, or you’re aBBC News reader, you’ll be aware of the SQL injection bug that’s compromised security for many of the world’s websites built with the CMS.
What has happened?
As expected, our incredibly proactive and dedicated global Drupal community and security team has been on the case, efficiently working together to move on from the issues the second half of this month has brought. TheDrupal security teambeen extremely clear about the problem. By taking a matter-of-fact stance they’ve not risked any delay to clearing up the situation. Here’s a quick summary of the SQL injection bug to answer my first question, before we run through the solutions:
It’s been titled SA-CORE-2014-005
Clearly the bug has existed since before mid October, though it was unlikely to have been exploited much before then
On 15th October, Drupal.org announced SA-CORE-2014-005 as highly critical
On 29th October, Drupal.org put out a public service announcement stating that if you had not patched before seven hours of the announcement on 15th October, you should assume your sites to be compromised
What does it mean?
The Drupal.org announcement on 15th October states:
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”
It’s only those using Drupal 7 (prior to 7.32) that have potentially been affected.
What is the Drupal community doing about it?
TheDrupal security team, made up of43 official members, have been heavily on the case. They’ve been working directly on fixes themselves and have pushed out all necessary information and guidelines to the Drupal community. The security announcements that were issued were very helpful to us as an agency; the clear and easily accessible information allowed us to get our clients’ sites back in good health as soon as possible.
It’s not just Drupal.org that have put out important information and hosted conversations about it. TheDrupal Reddit grouphave raised questions andcontributed informationthat all helps to restore the Drupal balance.
Unfortunately there are people who take advantage of situations like this and push them to see the worst they can do. The difference with Drupal (and I’m not just saying this as a Drupal agency employee!) is that it’smadeby the people who use it and love it. It’s open source and relies on volunteers to contribute to make it what it is. And this support is in action constantly.
When everything goes well; it’s the community that has contributed to its success. When big or small issues crop up, we all come together to get fixing and advising: the community has united to solve it.
Has your site been affected by the SQL injection bug? Get in touch if you need to know more about solutions and what to do next.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.