It’s usually good news when an IT administrator checks an application’s status and finds that it’s fully patched. But a new alert going around about a vulnerability in the open source Drupal Web content management system says something else.
A “Highly Critical” public service announcement put out by the Drupal Security Team on Wednesday warns that unless a SQL API bug in Drupal 7 wasn’t fixed within hours of a patch being issued on Oct. 15 assume your site has been successfully infiltrated.
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the alert said.
Here’s the important bit: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
Drupal is a popular framework used by a wide range of businesses and governments, including the Canadian government, Economist and Fast Company magazines, Sony Music and Warner Brothers Records.
One strategy the security team recommends is rolling back your site to before Oct. 15, then install the patch.
Drupal.org is responsible for the standard release of the framework. Like Linux, there are a number of independent software vendors around the world that add modules to extend the base capabilities. Drupal estimated last fall there were some 30,000 developers in its community.
Some organizations run it on-premise, while many service providers host the application for enterprises who want to use it as a service.