Critical SQL Injection Vulnerability in Drupal 7.0-7.31

Stefan Horst of SektionEins discovered a critical SQL injection vulnerability in Drupal 7. All users on versions prior to 7.32 are encouraged to update as soon as possible.

As everything needs a name this one has the grand/ridiculous title of “Drupalgeddon”.

It appears that the impact/s could be quite severe – a worst case scenario is it could lead to a complete authentication bypass, or full control of and access to database contents over the internet. This is quite a big deal. There are two proposed metasploit modules for it available now.

The Drupal advisory is here.

The SektionEins advisory and technical discussion is here