Blog: How Tos
Critical SQL Injection Vulnerability in Drupal 7.0-7.31
Stefan Horst of SektionEins discovered a critical SQL injection vulnerability in Drupal 7. All users on versions prior to 7.32 are encouraged to update as soon as possible.
As everything needs a name this one has the grand/ridiculous title of “Drupalgeddon”.
It appears that the impact/s could be quite severe – a worst case scenario is it could lead to a complete authentication bypass, or full control of and access to database contents over the internet. This is quite a big deal. There are two proposed metasploit modules for it available now.
The Drupal advisory is here.
The SektionEins advisory and technical discussion is here