![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
PSA: PHP Must Die
2014-10-30 07:01 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mdlbearAdvisory 01/2014: Drupal - pre Auth SQL Injection Vulnerability
A "highly critical public service announcement" from Drupal [LWN.net] "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."
Impressive. I think this is an appropriate place to quote one of my father's aphorisms: "A locked car with an open window is NOT a locked car."
If PHP is your open window, you may as well leave the keys on the dashboard where they're easy to see.
no subject
Date: 2014-11-02 04:41 am (UTC)