The open-source Drupal cms faces in version 7 with a bug in the so-called database abstraction api. This allows malicious sql injections to execute on vulnerable websites. Drupal calls it, the bug is very critical and has update 7.32 released.
The bug in Drupal Core, the base of the cms, it is painful to mention for Drupal: the database abstraction api is meant to databasequeries to check the quality of the input. In addition, the error in the code for almost a year, ago public posted on the website of Drupal. It seems nevertheless possible to use sql injections to perform on Drupal websites running on version 7.x. This allows an attacker administrator rights to obtain and, among other data, city, removal, or a site offline.
Drupal calls the bug ‘very critical’ and has since version 7.32 released to fill the gap. Users of Drupal 7.31 and lower is recommended as soon as possible to install the update. Drupal users that their website are not able to update can be a modification of the code in the file ‘database.inc.’ also a manual repair run. Version 6.x is not vulnerable to this attack.
Update, 20.00: The bug is also in the beta of Drupal 8. There is released an update to the bug fix.
Comments
(102)