Barracuda Web Application Firewall: Securing Drupal 7 SQL Injection (CVE-2014-3704)

Print Friendly, PDF & Email

Drupal is a popular and cross-platform open source content management system (CMS) that powers millions of sites on the Internet.

Recently, it was found to have a critical SQL Injection vulnerability: Drupal 7 SQL Injection (CVE-2014-3704). The exploit takes advantage of an SQL vulnerability in which a specially crafted HTTP request executes remote SQL commands against the database.

Ironically, the vulnerability was inadvertently introduced by Drupal’s database abstraction layer, the very layer supposed to prevent exactly such an attack.

The attack can be launched by any user and does not require any authentication or social engineering. The vulnerability is exposed through an HTTP parameter called name. Normally, its value in a genuine HTTP POST request would be something like:

Name=value

An example exploit would look like:

name[0;SQL command;#]=value

 

Unlike most SQL Injection attacks, the exploit here is through the parameter name rather than it’s value. Barracuda Web Application Firewall v7.9 and above allows instant remediation of this attack. To ensure that you are protected, confirm that under SECURITY POLICIES > Parameter Protection, the Validate Parameter Name control to Yes.

These settings protect you from all known and unknown, future zero-day SQL injection attacks.

 

Putting the vulnerability in Perspective

Drupal powers approximately 1.9% of sites on the Internet, including 3.5% of the Top 10,000 sites and 3.2% of the Top 100,000 sites on the entire Internet.

National Vulnerability Database rates its Exploitability as a 10 – does not require any advanced knowledge to exploit, easy enough for script kiddies

Controlling the database of a CMS allows attackers to completely own the system. In most instances, victims will not even know they have been hacked.

Drupal enjoys great success and a huge community of developers and users. More eyes may not necessarily mean fool-proof security, just like Heartbleed and ShellShock.

Visit this page to learn more about the Barracuda Web Application Firewall (WAF).  Get a risk-free, 30-day demo of the Barracuda WAF here.

Scroll to top
Tweet
Share
Share