PSA: PHP Must Die

[mdlbear]

Advisory 01/2014: Drupal - pre Auth SQL Injection Vulnerability

A "highly critical public service announcement" from Drupal [LWN.net] "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."

Impressive. I think this is an appropriate place to quote one of my father's aphorisms: "A locked car with an open window is NOT a locked car."

If PHP is your open window, you may as well leave the keys on the dashboard where they're easy to see.

Comments

[jcfiala.livejournal.com]

Yeah, as a guy who puts together Drupal sites, this has been a shockingly bad fuckup somewhere. No one noticed that it was a problem - this has been in the code since 7.0 and it's now 7.32 - and then when it was announced it may not have quite been announced as strongly as it could have been, because I didn't realize at first that scrubbing the array indexes on this one line was that important.

And I'm really glad I never got around to updating my personal sites from Drupal 6.x yet, because they aren't vulnerable to this attack.

[rowanf.livejournal.com]

Wow, that is huge.