October 15, 2014, the Drupal security team discovered a critical security flaw, referenced under code CVE-2014-3704. On 29 October, Drupal has publicly announced the discovery of this vulnerability with a patch.
- What is it allows?
Drupal has a verification tool and cleaning of the requests that are made to its base. However, the flaw allows an attacker to trigger SQL injection attacks. In some contexts, the application may allow the attacker to grant more privileges in the system, executing PHP code or other type of attack.
Since when does it exist?
The fault is present on all versions of Drupal 7 below the 7.32, the announcement brings reference SA-CORE-2014-005. To test if your site is vulnerable you can use the following script: https://www.drupal.org/project/drupalgeddon
How to fix the?
Update Drupal https://www.drupal.org/download. < br / > if cannot you do this, you can apply this patch to the database.inc file.
< br / >We remind you that it is recommended to regularly update your applications and services, to guarantee their stability and security. < br / >