!

Drupal Vulnerability Could Allow Potential Compromise of Drupal Web sites

Thursday, November 6, 2014 - 11:21

What is the Drupal Vulnerability?

Drupal is open-source content management software that is used to manage and publish Web sites. Drupal has announced a new SQL injection vulnerability that can allow an attacker to insert harmful code into a Web site entry field for execution. An attacker who successfully exploits this vulnerability could create new users, upload or manipulate files to the Drupal content management system, or copy or modify data within the Drupal database. Versions of Drupal 7 prior to version 7.32 are vulnerable.

What is Pitt Doing?

Computing Services and Systems Development has been working with Drupal system administrators to apply the appropriate patch and monitor the network for signs of a compromise.

What Should I Do?

If you administer a web server that is using a vulnerable version of Drupal, you should patch immediately. According to recommendations by Drupal, you should also consider restoring your site’s Drupal database and file systems to a time before the vulnerability’s announcement on October 15. Please refer to the reference links below for details.

If you manage a Drupal server in your department and would like assistance determining if it is susceptible, or would like assistance in identifying indications that a compromise has occurred, please contact the Technology Help Desk at 412-624-HELP [4357] or submit a request online.

References