ICDSOFT

News / Security

Highly-critical SQL injection vulnerability for Drupal - mass-fixed on our servers

On Oct 15, 2014, Drupal developers issued a notification of a critical SQL injection vulnerability, which affected all current Drupal 7.x versions. More information on the matter can be found at https://www.drupal.org/SA-CORE-2014-005.

The existing proof of concept allowed hackers to turn the SQL injection vulnerability into a remote code execution / file upload, and there are reports of many hack attempts against Drupal sites on the Internet. To protect the Drupal sites of our customers until they update their installations, we patched over 3000 Drupal installations on our servers. The applied patch does not affect the operation of the sites, but eliminate the threat which is a result of the announced vulnerability.

Customers still must update their Drupal installations to the latest version from Drupal.org.