/plushcap/analysis/cloudflare/drupal-7-sa-core-2014-005-sql-injection-protection

Drupal 7 SA-CORE-2014-005 SQL Injection Protection

What's this blog post about?

On October 16, 2014, the Drupal Security Team released a critical security patch for Drupal 7 addressing a severe SQL injection vulnerability. Cloudflare also updated its Web Application Firewall (WAF) rules to mitigate this issue. Customers using Cloudflare's WAF with the Drupal ruleset enabled received automatic protection. Rule D0002 provides specific protection against this vulnerability, and users can enable it by clicking the ON button next to "CloudFlare Drupal" in the WAF Settings. While Cloudflare's WAF can help mitigate such vulnerabilities, it is crucial that Drupal 7 users upgrade to the safe version of Drupal immediately. On October 29, 2014, the Drupal Security Team issued a PSA stating that every Drupal 7 website was likely compromised unless updated or patched before Oct 15th, 11 pm UTC. Users who did not update their Drupal 7 installation should read the PSA and follow instructions on cleaning up their site. Updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If a site appears patched without user action, it may indicate that the site was compromised, as some attacks have applied the patch to gain control of the site.

Company
Cloudflare

Date published
Oct. 16, 2014

Author(s)
John Graham-Cumming

Word count
278

Hacker News points
None found.

Language
English


By Matt Makai. 2021-2024.