Drupal 7.32 is an Absolutely Necessary Update

drupal-update

We’re accustomed to the Drupal security team releasing security fixes.

Fortunately, most of the fixes were relatively minor. They either impacted a small group of sites, or they were unlikely to lead to your site being hacked.

Let’s take a brief look at the 4 previous Drupal security advisories in 2014:

  • Drupal 7.31: A possible denial of service, so your site could be inaccessible
  • Drupal 7.29: A possible denial of service, so your site could be inaccessible
  • Drupal 7.27: Some private information could possibly be leaked from people using multi-step forms
  • Drupal 7.26: It’s possible to take over an administrator account, but only if they’re using OpenID

None of those issues were absolutely critical for all sites.

Drupal 7.32 is different. All site owners need this security fix.

Drupal.org has an FAQ on this security release:

“Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information. “

In short, the issue fixed by 7.32 could allow an anonmyous attacker to compromise any Drupal site. It’s the most serious Drupal security issue in a long time.

You should update. Now.

Where is the security issue?

The problem file is /includes/database/database.inc

In the database.inc file.

Here’s the old, vulnerable code, starting at line 735:

media_1413467719444.png

Here’s the new, safer code, again starting about line 735:

media_1413467798927.png

So, replace this line in database.inc:

foreach ($data as $i => $value) { 

with this line:

foreach (array_values($data) as $i => $value) { 

Summary

You can update just the single line in database.inc, or you can do a full Drupal update to 7.32.

But, you must update.

Author

  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

    View all posts
0 0 votes
Article Rating
Subscribe
Notify of
guest

5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Anna
Anna
10 years ago

Nice article!!!!!

SimonW
10 years ago

can I apply the patch directly to the older version e.g. 7.15

steve
steve
10 years ago
Reply to  Simon

Hi Simon. Yes, you can do that.

Will
Will
10 years ago

Hallo there, Is it possibel that there are no difference between the scriplines above?

Greating Will

steve
steve
10 years ago
Reply to  Will

Yes, a very small change

5
0
Would love your thoughts, please comment.x
()
x