By Dr. Samir Kelekar, Senior Consultant, Indusface

Drupal Attack

It’s been almost a month, since a team of Drupal admitted that every site functioning on Drupal was affected by a vulnerability. And within 7 hours of this announcement, the websites affected started getting attacked by hackers, giving them hardly any time to patch against this vulnerability, which got overshadowed by POODLE, but is essentially as dangerous as Heartbleed.

What is the problem?

This problem was disclosed on the 15t of October that Drupal 7 was highly vulnerable to SQL injection. This is a SQL injection vulnerability, found in the Drupal Core. This vulnerability is caused due to insufficient authentication of the data input by users, when expanding argument values used in SQL queries. This exposed the Drupal users to database layer attacks which can facilitate hackers in extracting the web application data.

One factor that makes this vulnerability particularly dangerous is that it can be used to attack a target without an account, and no trace of the attack afterward can be seen.

The first victims

Acquia, an open cloud hosting provider, was reportedly one of the first’s to be hit by the vulnerability. Although it announced on Oct. 31 in a blog post that as soon as the security announcement had come out, they had deployed a platform-wide shield to protect customer sites on its cloud.

The scope of threat for this vulnerability and 30 days from the announcement, is everything fixed today?

With 2.7% of the world’s website on Drupal, ranging from personal blogs to corporate, political, and government sites including and , scope of threat was huge. Moreover, Drupal is also a CMS, so that heightened the risk. After two weeks of their initial announcement, Drupal gave another update. They re-stated that websites not updated or patched within seven hours of the first security update, should further proceed with the assumption that they were affected. The bigger announcement was that merely updating to Drupal 7.32 will not remove the vulnerability.

Even today, thousands of websites running on Drupal are affected by this highly critical security flaw. The Drupal team had already announced in its security announcement that “If you did not update your site within seven hours of the bug being announced, we consider it likely your site was already compromised”

Taking advantage of the websites still waiting to deploy fix, attackers are exploiting the vulnerability using automated tools as one attack method. Some are smartly installing a back door on affected systems and then patching the flaw, thereby ensuring that no other attacker can exploit the targeted site. This would also mean that the system administrators will not realize that the system was ever vulnerable and will therefore remain unknown about the backdoor and constantly leaking information.

Is only Drupal affected by such vulnerabilities?  

Not really. WordPress is another CMS which usually emerges on top of the most attacked CMS. The reason for this popular duo being most targeted is simple. If hackers gain control of a popular app or a platform, it is financially beneficial in form of stealing data from them or using the affected systems as zombies in botnet. In either case, the ROI is good and hence it’s worth the hacker’s time and effort to do all the digging and research specific to the target.

What this essentially means is that it’s important to remain up-to-date on the latest software updates and fixes and in case of a vulnerability being disclosed or found, react quickly to patch.

The precautions and the Fix

So you tested your system, and you found it’s fixed. You are happy, very happy.

Well, you shouldn’t be. This can be a symptom that the site was compromised, and later patched, as we have explained above. Attackers can create backdoors in database, codes, files directory etc. and use them to take control of your system, steal data or escalate privileges. You can try to remove all backdoors but there is no surety that you have been able to find all of them. And the infiltrator might already have a copy of all your data.

“The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014,” the statement says.

Instant measures need to be taken by Drupal users, who did not apply the patch within hours of the announcement, and as the stats are showing, the affected users will be many. While it will be easy to put the blame on administrators, it will not be fair, as with the speed the attacks happened, it would not have been possible for system administrators to update their systems timely.

According to Jerome Segura, senior security researcher, “The best defense in this arms race is about protecting your properties in various ways that complement each other,” he said. “While patching is important, there are other methods to defend against such attacks, for example by hardening your website against SQL injections, brute force attacks, and also by deploying a Web application firewall which can detect malicious behavior and stop them before they reach your internal applications.”

Please consult us for your Website Security Check and further protection:

Help link from Drupal:

Help Link from Indusface: