Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

Re:PHP

[Qzukk]

XML would not be a standard SQL construct. Neither the PHP-internal mssql driver nor the microsoft PHP driver supports TVP.

The postgresql way to prepare a statement that needs to do something like "... field IN ($1) ..." is to rewrite it as an array operation "... field = ANY ( $1 ) ..." where $1 would be an array, but PHP/PDO can't properly/securely prepare this since it doesn't understand array operations. You would need to manually escape each element and create a literal array string in your code and pass that as the parameter:

pg_prepare($pg, "test", "select * from customer where id = ANY ( $1::int[] )");
pg_execute($pg, "test", array("{52,149,288}"));

Note that a varchar[] in PHP would look something like "{Smith,O'Hare,Wilkerson\\, Esq.}" so none of the normal SQL escaping functions would work properly (note that single quotes are not escaped, but commas and curly braces would be escaped).

I think postgresql arrays are slightly nonstandard (you can declare them using "datatype ARRAY[size]" but postgresql does not enforce array bounds. MySQL does not do array datatypes at all.