Drupal's security team has released an service announcement calling upon all users of the Drupal content management framework to consider their sites as compromised.Admin area of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack, patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands over total control and it is including the ability to load malicious code to attackers running attacks against vulnerable websites.
The Drupal security announcement said, "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC, that is seven hours after the announcement".
The vulnerability in Drupal 7.x could be exploited to gain elevated privileges or execute PHP code through SQL injection attacks. Earlier versions of Drupal were NOT affected by the flaw, which ironically stems from code designed to guard against SQLi attacks.
Announcing a fundamental flaw in the code to everyone without giving much runway to the users of Drupal to proactively patch, gives ample time for attackers to weaponise the flaw and exfiltrate data or manipulate the systems for later exploitation.
The Drupal security team said that it saw automated attacks compromising unpatched sites within hours of the SQL injection's announcement, and that simply updating to the latest Drupal release will not secure any vulnerable sites, as attackers may have already accessed data without leaving any trace of their presence.
"Updating to version 7.32 or applying the patch fixes the vulnerability, but does not fix an already compromised website. "
"If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site."
