Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution.
The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks.
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” the Drupal advisory says.
“A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.”
The vulnerability can be exploited by any visitor to the site, without authentication. The Drupal security team recommends that users update their installations as soon as possible to version 7.32. Drupal is one of the more popular CMS packages used by site owners and is deployed in a huge number of places, from the low end to the high end.
“Although there are no known exploits in use at this time, Drupal 7 sites are exposed to this vulnerability until they are updated. Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information,” Drupal said in its advisory.