SQL Injection Vulnerability in Drupal 7

Drupal 7 before 7.32 is vulnerable to an important security flaw. If you are responsible for Drupal installations, this is not one you should wait to get around to. All sites hosted by Kilpatrick Design are patched and secure.

Drupal as a whole has an excellent track record on security. The mature process for handling security issues, and Drupal's use on high profile websites are good evidence of the real success the Drupal team has had on that front. Since no software project is secure, good security practices should produce a steady stream of security updates for software as complex as Drupal, and since we're hosting a fair number of Drupal sites we watch those updates carefully in order to respond.

Most often, the issues that arise are in contributed modules we don't use,  can be simply mitigated through settings, or don't apply unless you provide non-default, unlikely permissions to otherwise non-privileged users. So while they should be fixed, there's generally not a rush.

This most recent update — dubbed SA-2014-005 — is not an issue you can defer resolving. It involves a SQL Injection vulnerability that can be exploited by un-authenticated users. Armed with the knowledge that your site is running a vulnerable version of Drupal, an attacker can gain administrative access, change your database or even drop the database completely, or run arbitrary programs on your server — in short, a black hat's gold mine. 

If you need help with Drupal security or Drupal development and engineering of any kind, please get in touch!