[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Did Drupal Drop The Ball? Users Who Didn't Update Within 7 Hours 'Should Assume They've Been H
From: InfoSec News <alerts () infosecnews ! org>
Date: 2014-10-30 14:38:38
Message-ID: alpine.DEB.2.02.1410301438230.1586 () infosecnews ! org
[Download RAW message or body]
http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/
By Thomas Fox-Brewster
Forbes.com
10/30/2014
Hackers are remarkably quick off the mark. Drupal, the creator of the
eponymous content management system that millions use the world over, now
knows that all too well. In mid-October it patched a SQL injection flaw,
which could be exploited by tricking a database into coughing up data from
its tables and columns using the SQL language. But yesterday, it said that
thanks to an automated attack that hit up as many Drupal sites containing
the vulnerability as quickly as possible, anyone who didn't update to
version 7.32 within seven hours of its release should assume they've been
hacked.
The bombshell was officially dropped in an advisory late yesterday, ranked
‘Highly Critical'. And for all those users concerned, updating to version
7.32 or applying the patch fixes the vulnerability but will not fix a
compromised website, the warning read. It gets a little worse, as Michael
Hess HES -1.01% of the Drupal security team notes: "If you find that your
site is already patched but you didn't do it, that can be a symptom that
the site was compromised – some attacks have applied the patch as a way to
guarantee they are the only attacker in control of the site."
Hackers who broke into Drupal-based sites may have done all kinds of nasty
things, from installing backdoors to simply grabbing all data on that
site. They might even be able to use their leverage to compromise other
websites and apps hosted on the same server, escalating their attacks. Put
simply, this could be catastrophic for victims.
SQL injection is one of the most commonly used attack methods on the
planet. Tools like slqmap automate such attacks requiring little technical
skill of the hacker, yet lead to devastating results.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic