===================================================================== CERT-Renater Note d'Information No. 2014/VULN229 _____________________________________________________________________ DATE : 16/10/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions 7.x prior to 7.32. ====================================================================== https://www.drupal.org/SA-CORE-2014-005 ______________________________________________________________________ SA-CORE-2014-005 - Drupal core - SQL injection Posted by Drupal Security Team on October 15, 2014 at 4:02pm Advisory ID: DRUPAL-SA-CORE-2014-005 Project: Drupal core Version: 7.x Date: 2014-Oct-15 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All Vulnerability: SQL Injection Description Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. CVE identifier(s) issued CVE-2014-3704 Versions affected Drupal core 7.x versions prior to 7.32. Solution Install the latest version: If you use Drupal 7.x, upgrade to Drupal core 7.32. If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32. Also see the Drupal core project page. Reported by Stefan Horst Fixed by Stefan Horst Greg Knaddison of the Drupal Security Team Lee Rowlands of the Drupal Security Team David Rothstein of the Drupal Security Team Klaus Purer of the Drupal Security Team Coordinated by The Drupal Security Team Contact and More Information We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. ⋅ Categories: Drupal 7.x ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================