Advisory says to assume all Drupal 7 websites are compromised

Only those who patched within seven hours may be in the clear

serverskulls header
Jen Anderson

If your organization uses Drupal, you might have a serious problem on your hands. On October 15, Drupal urged users to apply an update that fixed a SQL Injection flaw. However, unless that patch was installed within seven hours, Drupal now says it's best to assume the website was completely compromised.

The SQL Injection vulnerability exists in an API used by Drupal, which is supposed to prevent SQL Injection. It was re-discovered by German security firm SektionEins in September, after a Drupal user hired them to check for vulnerabilities.

Copyright © 2014 IDG Communications, Inc.