[ESIP-all] Flagging post-hoc highly critical Drupal 7.32 security vulnerabilities

David Bassendine via ESIP-all esip-all at lists.esipfed.org
Mon Nov 3 20:15:29 EST 2014

Hi everyone,

If you are running Drupal 7 you're hopefully aware that a Highly Critical
security vulnerability was announced on 10/15. What's not been so clear
until now is *even if you upgraded to 7.32, unless you did so by 10/15
23:00 UTC / 19:00 EDT (7 hours after the announcement) you could still be
vulnerable*. The hole allowed SQL injection which could give full control
of a site to hackers. A number of automated attacks quickly emerged which
installed back doors which are hard to detect and could be exploited later.
If you have not been aware of this, you should quickly update your codebase
and revert to a database backup of 10/15 or earlier.

Here are some more details rundown on the vulnerability and how to address

The Drupal Security Team followed up on the initial security alert (
https://www.drupal.org/SA-CORE-2014-005) with an announcement emphasizing
the severity of the vulnerability and potential vulnerability of sites not
updated within seven hours of the original announcement (

Sites on the Pantheon (http://goo.gl/JZOIFu) or Acquia (http://goo.gl/Vzg4TE)
hosting platform, or those using CloudFlare's DNS level Web Application
Firewall (http://goo.gl/rJMVev) received protection against known attacks.
However, that doesn't exclude unknown attacks getting through over the
period the site was unpatched. The only way to be completely safe is to
remove your site completely and reinstall using a backup from 10/15 or

For those running Drupal 7 sites on other hosting providers, you should
upgrade your core codebase to 7.32 as soon as possible. You can check for
known attacks - Pantheon provided a useful rundown of potential attacks and
how to look for them (
However, this list is far from exhaustive, especially since a couple of
weeks have since passed, and backdoors can be hard to detect. The only way
to be secure, and the recommended approach, is to remove the site and
re-install using a backup of 10/15 or earlier.

More info:

   - FAQ - https://www.drupal.org/drupalsa05FAQ
   - Twitter updates on #drupalsa05 - https://twitter.com/hashtag/drupalsa0
   - Overview of the hole and how it's being exploited:

To protect yourselves from future attacks, some steps you could take are:

   - Keep up to date with Security announcements
   - Mailing list - https://lists.drupal.org/mailman/listinfo/security-news
      - Web page - https://www.drupal.org/security/
      - RSS - https://www.drupal.org/security/rss.xml
      - Twitter - https://twitter.com/DrupalSecurity
   - Have a process to apply updates within a particular timedays (ie. no
   more than 24 hours)
   - Migrate to Pantheon/Acquia platform hosting - makes it easier and
   quicker to apply updates, as well as some built in protections
   - Use CloudFlare's DNS level web application firewall - blocks most
   malicious requests from ever reaching sites

Thanks, hopefully everyone will stay safe and secure - David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.esipfed.org/mailman/private/esip-all/attachments/20141103/03871c7d/attachment.html>

More information about the ESIP-all mailing list