Drupal SQL Injection Vulnerability

Drupal SQL Injection – SA-CORE-2014-005

This posting discusses the Drupal SQL Injection vulnerability from https://www.drupal.org/SA-CORE-2014-005, which affected Drupal versions 7.0 – 7.31.  This security announcement was released on October 15, 2014 and was marked as Highly Critical.  By October 29th, the Drupal Security Team posted a follow-on Public Service Announcement (PSA), https://www.drupal.org/PSA-2014-003, which warned that all Drupal sites should be considered compromised if not patched by Oct 15th, 11pm UTC – only seven hours after the initial security release! Continue reading