We have discovered - at e-Sealed - that most Drupal websites in KSA are vulnerable to a very serious SQL injection attack. 

More than 60% of the Drupal websites in KSA have critical security issues.

 

The bug was introduced in early 2011 and stayed well hidden in the core framework. It was discovered on 15th of October 2014.

E-Sealed has discovered that most (apx 62%) of the Drupal based websites in Saudi Arabia are still vulnerable to the highly critical security issue.

The vulnerability affecting all Drupal 7.x versions prior to 7.32 became public on October 15 2014 and leaves Millions of Websites Open to Hackers, This bug can be exploited remotely by non-authenticated users, and shortly after the disclosure, attackers began exploiting it using "automated attacks". It appears that the impact/s could be quite severe - a worst case scenario is it could lead to a complete authentication bypass, or full control of and access to database contents over the Internet. According to Drupal's own statistics, almost a million websites currently use Drupal 7.

As the initial Drupal security advisory explains, "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."

A followup advisory notes that automated attacks began compromising Drupal 7 websites within hours of the announcement of the flaw, and warned that simply updating to Drupal 7.32 will not remove backdoors. "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement," the advisory states. "If you have not updated or applied this patch, do so immediately."

"If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised -- some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site," the speed with which this flaw was exploited is alarming.

In many cases, it simply wouldn't have been possible for system administrators to update their systems in time to block any attacks. The best defense in this arms race is about protecting your properties in various ways that complement each other, While patching is important, there are other methods to defend against such attacks, for example by hardening your website against SQL injections, brute force attacks, and also by deploying a Web application firewall which can detect malicious behavior and stop them before they reach your internal applications.

E-sealed has discovered that most of the Drupal based websites in Kingdom which also includes some govt website from different sectors are still using vulnerable version of Drupal 7.0-7.31. This can result in massive level compromises of Information availability, integrity and confidentiality. You can contact E-sealed to test and restore your vulnerable site, E-sealed can help you to identify and mitigate your security risks by providing professional vulnerability analysis, penetration testing and website hardening services.