SA-CORE-2014-005 - Drupal core - SQL injection
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
Patch: SA-CORE-2014-005-D7.patch
See also:
- Security risk SA-CORE-2014-005 - Drupal core - SQL injection at Drupal.org
- FAQ on SA-CORE-2014-005 at Drupal.org
- Drupalgeddon module
- Database ExpandArguments placeholder naming issues when using array at Drupal.org (independently reported in public Drupal issue tracker a year ago, without recognizing the impact)
- Advisory 01/2014: Drupal - pre Auth SQL Injection Vulnerability at sektioneins.de
- SA-CORE-2014-005 - Drupal core - SQL injection at reddit
- drupal_drupageddon module for Metasploit framework at GitHub
- Blog: Of Drupageddon and other fancy names at 0x776b7364
- Blog: Drupal SQL Injection Attempts in the Wild at sucuri.net
- Blog: Your Drupal website has a backdoor at drupal.geek.nz