Enter your email address:

Delivered by FeedBurner

feedburner count

Exploit: SQL Injection Vulnerability in Drupal 7.x

Labels: , , , ,

Safety and security scientists from SektionEins have actually uncovered a vital SQL Shot vulnerability in Drupal CMS that leaves a a great deal of web sites that utilizes Drupal in jeopardy.

Drupal presented a data source abstraction API in variation 7. The objective of this API is to avoid SQL Shot strikes by disinfecting SQL Queries.

This API itself presented a important as well as brand-new SQL Shot vulnerability. The vulnerability makes it possible for assaulters to run harmful SQL questions, PHP code on at risk internet sites. An effective exploitation enables cyberpunks to take total command of the website.

This vulnerability could be made use of by a non-authenticated individual and also has actually been identified as "Extremely Important" one.

You can also directly modify the "includes/database.inc" file to patch this vulnerability; Change the "foreach ($data as $i => $value) {" with "foreach (array_values($data) as $i => $value) {" in 739 line.

A proof of Concept has been released online that allows anyone to change the password of admin account. So, better Hurry UP! Update your Drupal CMS.

One of the reddit user "fyukyuk" posted a HTTP post request that exploits this vulnerability.

The following python Code changes the admin password of vulnerable Drupal to 'admin' (Tested with Drupal versions 7.21,7.31).

Get Articles from this blog via E-mail !

subscribe to Hackbook.net Enter your email address:


Post a Comment

Post a Comment