Drupal is a popular and cross-platform open source content management system (CMS) that powers millions of sites on the Internet.
Recently, it was found to have a critical SQL Injection vulnerability: Drupal 7 SQL Injection (CVE-2014-3704). The exploit takes advantage of an SQL vulnerability in which a specially crafted HTTP request executes remote SQL commands against the database.
Ironically, the vulnerability was inadvertently introduced by Drupal’s database abstraction layer, the very layer supposed to prevent exactly such an attack.
The attack can be launched by any user and does not require any authentication or social engineering. The vulnerability is exposed through an HTTP parameter called name. Normally, its value in a genuine HTTP POST request would be something like:
An example exploit would look like:
Unlike most SQL Injection attacks, the exploit here is through the parameter name rather than it’s value. Barracuda Web Application Firewall v7.9 and above allows instant remediation of this attack. To ensure that you are protected, confirm that under SECURITY POLICIES > Parameter Protection, the Validate Parameter Name control to Yes.
These settings protect you from all known and unknown, future zero-day SQL injection attacks.
Putting the vulnerability in Perspective
Visit this page to learn more about the Barracuda Web Application Firewall (WAF). Get a risk-free, 30-day demo of the Barracuda WAF here.