Drupal has released a security advisory to address an application program interface (API) vulnerability that could allow an attacker to execute arbitrary SQL commands on an affected system. This can lead to various attacks, including privilege escalation and arbitrary PHP execution.
Drupal is the third most popular Content Management Systems used on web sites, according to w3techs.com.
The Drupal critical bug has been characterized as easily exploitable and affects all Drupal core 7.x versions prior to 7.32. According to Drupal, this vulnerability provides a way for an attacker to create an exploit without needing an account or having to obtain an account holder’s confidential information and credentials.
In an instance of great irony, the vulnerability was introduced in the database abstraction API that is used to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
The Drupal security team refers to this as a Highly Critical SQL injection bug introduced in Drupal Version 7, but reports that it has already been fixed in Version 7.32 now available. The bug has been observed being exploited by hackers.
Admins maintaining Drupal sites are urged to upgrade to the most current version as soon as possible.