Drupal SA-CORE-2014-005 and POODLE: What you need to know
Worried about the different Drupal and SSL security announcements made this week? Here's what you need to know.
Drupal SA-CORE-2014-005
On Wednesday, the Drupal Security Team released a highly critical security update (SA-CORE-2014-005) for Drupal 7. If you have a Drupal 7 site that isn't on the latest 7.32 version, it is extremely important that you upgrade your sites or apply the patch immediately!
This isn't your regular Drupal security announcement, which, while still important to upgrade, may or may not affect your particular site. This vulnerability affects every single Drupal 7 site out there. And since the announcement, proof of concepts (PoCs) have been popping up on the internet.
The vulnerability involved is a SQL injection vulnerability, which allows the attacker to send specially constructed messages to the site and ultimately can lead to arbitrary PHP code execution, access to all your site's and user's data as well as the ability to modify it. What makes this particularly bad is this vulnerability doesn't require the attacker to already have privileged access to the site - any anonymous user can do it. Thankfully there is a security release available and you can, and should, update today.
If you host your site with Annertech, or are one of our support clients, then rest assured that your site is safe. All vulnerable sites were patched within minutes of the announcement being made.
POODLE
However, #drupalsa05 isn't the only security vulnerability announced this week. POODLE is yet another. It transpires that SSLv3 has a design flaw that allows the plaintext of secure connections to be calculated by a network attacker. SSL is used to protect your information from access and modification when browsing sites over https, and now if you're using a browser over the same wireless network as your attacker, then you may be suspectible if using SSLv3. SSLv3 is nearly 18 years old and newer, stronger versions are available. The methods vary, but you can protect yourself against this vulnerability by disabling SSLv3 support in your browser configuration, depending on your browser version. IE6 on Windows XP for example doesn't support anything newer than SSLv3.
If you provide hosting services, it is also possible to protect your users being attacked too. You can configure your webserver to disable SSLv3 and the steps vary depending on the web server or application being used. Again, if you host your site with Annertech, we've already taken this precaution for you, otherwise get in touch with your hosting company to see what measures they've taken.
So, whilst the threats are severe, the fixes are simple. Make sure that your website is not open to attack.
Stella Power Managing Director
As well as being the founder and managing director of Annertech, Stella is one of the best known Drupal contributors in the world.