Patches and updates, Security, WordPress and other CMS

Extremely critical Drupal vulnerability

Leave a comment

Drupal is a Content Management System, similar to WordPress and Joomla. On October 15th, a very dangerous vulnerability in Drupal was announced. Within hours, exploits attacking this vulnerability started to appear on the web.

Yesterday, a special follow-up Public Service Announcement was posted on the Drupal web site. From the Drupal PSA:

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. Simply updating to Drupal 7.32 will not remove backdoors.

Anyone who runs a Drupal site should deal with this issue immediately.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

View all posts by jrivett | Website

Leave a Reply

Your email address will not be published. Required fields are marked *