On October 29, 2014 the security team for Drupal, the popular open source content management system (CMS) for over a billion websites, released a public service announcement advising their 12 million customers to update their software due to a SQL injection attack.
The vulnerability allows hackers to use SQL injection to breach core code intended to prevent such attacks, and then take control of a website’s database. Once a web server has been compromised, the patch can’t help. In fact, according to Hacker News, if you did not download a patch but the patch is already there when you attempt the fix, your website has been infiltrated.
Walls’ article in Cyber Defense Magazine can be found HERE.
Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft. Comments and questions for Mike Walls are welcome: firstname.lastname@example.org