專題文章Drupal架站軟體資安漏洞,版本7.x存在SQL injection弱點,請盡速更新至7.31版本

83866
次閱讀
專題文章

請依官網公告更新至7.31以上版本,或是安裝patch修正/includes/database/database.inc檔案
https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch

本弱點可以讓攻擊者繞過帳號認證取得網站管理者權限,目前網路上已經有實作入侵的工具出現,使用Drupal之網頁需要盡速更新。



Posted by Drupal Security Team on October 15, 2014 at 4:02pm

Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued

  • CVE-2014-3704

Versions affected

  • Drupal core 7.x versions prior to 7.32.

Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page.

Reported by

  • Stefan Horst

Fixed by

Coordinated by

Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    WR網頁設計公司