Jump to content
MDDHosting Forums

Drupal Vulnerability - Version: 7.x - Security risk: 25/25 ( Highly Critical )

Michael D.

Recommended Posts



This only specifically concerns users that are running Drupal [not everyone, generally you would know] but the security implications of not keeping a piece of software up-to-date applies to everything such as WordPress, Joomla, etc.


Drupal has announced that if you did not patch the Drupal Vulnerability announced/patched October 15, 2014 within 7 hour of the patch being released that more than likely you were already hacked/compromised. We've found numerous accounts on our network that are up to date but the patches were applied after the sites were compromised initially. Here is Drupal's formal announcement stating as well: Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 and here is the original vulnerability patch announcement: SA-CORE-2014-005 - Drupal core - SQL injection.


If you are running Drupal regardless of whether you've been upgraded or not you should check your account for unauthorized modifications. Looking in the core folder for Drupal we've more often than not seen scripts such as "view.php" "graph.php" "document.php" etc - files that are not actually a part of Drupal and are malicious and in many cases we have also found other malicious files distributed through affected accounts at the same date/time.


Understand these are not server level issues and there is relatively little we could do as a provider to protect you from this. We try to make it clear in our Terms of Service and on our company forums that keeping all software installations up to date is very important for account security. While this notice is specifically about Drupal - the advice does apply to all third party scripts installed within your account. This isn't to cause you distress or trouble but simply to help you keep your account secure against malicious third parties.

For more details on this specific Drupal vulnerability please see the following links:

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

SA-CORE-2014-005 - Drupal core - SQL injection

Drupal warns unless you patched within seven hours, you're hacked

Millions of websites hit by Drupal hack attack

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...