Critical SQL Injection vulnerability in Drupal 7.x Gives any user admin access



Security researchers from SektionEins have discovered a critical SQL Injection vulnerability in Drupal CMS that leaves a large number of websites that uses Drupal at risk.

SQL Injection attacks

Drupal introduced a database abstraction API in version 7. The purpose of this API is to prevent SQL Injection attacks by sanitizing SQL Queries. But, this API itself introduced a new and critical SQL Injection vulnerability. The vulnerability enables attackers to run malicious SQL queries, PHP code on vulnerable websites. A successful exploitation allows hackers to take complete control of the site.

This vulnerability can be exploited by a non-authenticated user and has been classified as “Highly Critical” one.

A proof of Concept has been released online that allows anyone to change the password of admin account.  So, better Hurry UP! Update your Drupal CMS. 

Temporary fix

You can also directly modify the “includes/” file to patch this vulnerability;
Change the “foreach ($data as $i => $value) {“  with “foreach (array_values($data) as $i => $value) {“  in line 739 .



Proof of exploit

The following python Code changes the admin password of vulnerable Drupal to ‘admin‘ (Tested with Drupal versions 7.21,7.31).