Description
Stefan Horst of SektionEins GmbH reported a critical pre-auth SQL injection vulnerability in Drupal core 7.x versions prior to 7.32. Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
Remediation
It is recommended to upgrade to the latest version of Drupal. (This issue was fixed in version 7.32).
References
Related Vulnerabilities
WordPress Plugin wp-championship SQL Injection (5.8)
WordPress Plugin Calendar Event Multi View Multiple SQL Injection Vulnerabilities (1.1.7)
WordPress Plugin UPM Polls 'PID' Parameter SQL Injection (1.0.4)
WordPress Plugin Yes/No Chart SQL Injection (1.0.11)
WordPress Plugin wpDataTables-WordPress Tables & Table Charts SQL Injection (1.5.3)