Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drupal Fixes Highly Critical SQL Injection Flaw

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."

2 of 54 comments (clear)

  1. Re:Is Drupal 6.x Affected? by Hewligan · · Score: 3, Informative

    I've seen no mention of whether or not Drupal 6.x is vulnerable; are they?

    No, it won't be affected, as the API involved was introduced in Drupal 7.

    --

    "If God created us in his own image, we have more than reciprocated"

  2. Re:Heh by amicusNYCL · · Score: 5, Informative

    It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:

    SELECT * FROM table WHERE id IN (:idlist)

    and you passed an array with 3 values for idlist, it would replace the query like this:

    SELECT * FROM table WHERE id IN (:idlist_1, :idlist_2, :idlist_3) ... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.

    Here is the old code (without comments):

    foreach (array_filter($args, 'is_array') as $key => $data) {
                $new_keys = array();
                foreach ($data as $i => $value) {
                    $new_keys[$key . '_' . $i] = $value;
                }
                $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

    And the new code:

    foreach (array_filter($args, 'is_array') as $key => $data) {
                $new_keys = array();
                foreach (array_values($data) as $i => $value) {
                    $new_keys[$key . '_' . $i] = $value;
                }
                $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

    array_values will return an array with numeric indexes, which is what removes the vulnerability.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black