Warning issued for Drupal sites

It’s usually good news when an IT administrator checks an application’s status and finds that it’s fully patched. But a new alert going around about a vulnerability in the open source Drupal Web content management system says something else.

A “Highly Critical” public service announcement put out by the Drupal Security Team on Wednesday warns that unless a SQL API  bug in Drupal 7 wasn’t fixed within hours of a patch being issued on Oct. 15 assume your site has been successfully infiltrated.

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the alert said.

Here’s the important bit: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Drupal is a popular framework used by a wide range of businesses and governments, including the Canadian government, Economist and Fast Company magazines, Sony Music and Warner Brothers Records.

One strategy the security team recommends is rolling back your site to before Oct. 15, then install the patch.

Drupal.org is responsible for the standard release of the framework. Like Linux, there are a number of independent software vendors around the world that add modules to extend the base capabilities. Drupal estimated last fall there were some 30,000 developers in its community.

Some organizations run it on-premise, while many service providers host the application for enterprises who want to use it as a service.



Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now