| Drupal

drupal-updateWe're accustomed to the Drupal security team releasing security fixes.

Fortunately, most of the fixes were relatively minor. They either impacted a small group of sites, or they were unlikely to lead to your site being hacked.

Let's take a brief look at the 4 previous Drupal security advisories in 2014:

  • Drupal 7.31: A possible denial of service, so your site could be inaccessible
  • Drupal 7.29: A possible denial of service, so your site could be inaccessible
  • Drupal 7.27: Some private information could possibly be leaked from people using multi-step forms
  • Drupal 7.26: It's possible to take over an administrator account, but only if they're using OpenID

None of those issues were absolutely critical for all sites.

Drupal 7.32 is different. All site owners need this security fix.

Drupal.org has an FAQ on this security release:

"Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information. "

In short, the issue fixed by 7.32 could allow an anonmyous attacker to compromise any Drupal site. It's the most serious Drupal security issue in a long time.

You should update. Now.

Where is the security issue?

The problem file is /includes/database/database.inc

In the database.inc file.

Here's the old, vulnerable code, starting at line 735:

media_1413467719444.png

Here's the new, safer code, again starting about line 735:

media_1413467798927.png

So, replace this line in database.inc:

foreach ($data as $i => $value) { 

with this line:

foreach (array_values($data) as $i => $value) { 

Summary

You can update just the single line in database.inc, or you can do a full Drupal update to 7.32.

But, you must update.


About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.