A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Security » View Post


SA-CORE-2014-005 - Drupal core - SQL injection

Written by Matt

Yet another exploit for one of the "everything and the kitchen sink" CMS. It really goes to show how wonderful dynamically typed languages are for security, especially PHP which is basically stochastically typed.

Another thing which has no effect on me, since I wrote this from scratch and I'm not stupid enough to construct objects directly from user input and pass them into an SQL generation function that sets the column names.

The best part is the description of what the exploit targets from Drupal's official site:

"Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks."

How's that working out for you? Prepared queries, careful programming and flattening objects before passing them directly into the field list would have prevented all of this.

Details of the issue here: https://www.drupal.org/SA-CORE-2014-005

  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes