Thursday, October 30, 2014

Assume ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15

A follow up to my last post.  This is a bit alarmist but evidently this is a serious vulnerability in the product.  From ThreatPost:

Assume ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15

Gotta love the irony here:
"The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward."

No comments:

Post a Comment