Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

At this surprises who?

[Mysticalfruit]

I'm surprised it took this long! While not a PHP programmer, I've looked at some bits of the code and it's a bloody mess.

php should get a new motto: "Please Hijack our Platform"

WhiteHouse.gov

[q4Fry]

Is the White House breach a result of this bug? Inquiring minds want to know!