A Public Service
Announcement (PSA) was issued by the Drupal Security Team on October
29, 2014 as to summarize to Security Advisory SA-CORE-2014-005 that
disclosed a serious SQL Injection vulnerability in Drupal 7. The main
aim with PSA is to deliver an update on the time window between
disclosure and first-known exploits, repeat the severity of the
vulnerability and the importance of upgrading or patching and provide
guidance for those users, who patched or upgraded outside that
window.
A Public Service
Announcement result into the large volume of press coverage that
feels goals were completed. On October 15th 2014, much
more coverage than the original disclosure of the vulnerability was
seen. Moreover, we are also finding the general tome of the press
coverage was quite negative. Regrettably, there is some coverage that
was not proper which we like to address and provide some additional
content related to security procedure.
We don’t have an idea
about how many Drupal sites were affected, but somewhat it is nearly
to 12 million as it is stated to many publications. There are many
individual Drupal sites that reported to existence back to Drupal.org
unless disabled. Moreover, around 1 million total Drupal sites are
reported to this system. There is no doubt that SA-CORE-2014-005 is a
severe matter, however, it is compulsory to identify all software has
security and bugs that need for a remediation process.
Searching, fixing and
announcing security patches is one of the strongest proof of a
healthy security process. Additionally, Drupal is one of the
strongest content management systems, having a dedicated security
team that has contributed code and Drupal code as well.
If you want to protect
your CMS from SA-CORE-2014-005 then you have to enable WAF against
this vulnerability. In order to confirm SQL injection protection is
ON, you have to log into the Incapsula account then go to Settings >>
WAF, and confirm that SQL Injection is set to Block Request.
The PSA goes on to state:
"Simply updating
to Drupal 7.32 will not remove backdoors."
However, customers have
to ensure that backdoor protection is enabled. For confirming that
backdoor protection is enabled, you just have to login into your
Incapsula account and go to Settings >> WAF, and confirm that
Backdoor Protect is set to Auto-Quarantine.
This way, Incapsula will continue to check this vulnerability and subject other updates as appropriate.
If you are looking for
professional help then contact Perception System, a leading Drupal
development company, to adopt Drupal Developer for hire service. For
more information, click here.
About the Author
0Awesome Comments!