How Drupal is Fixing the SQL Injection Issue

Submitted by Sara Parks on 11/18/2014 - 11:32:am

A couple weeks ago, a critical bug for all Drupal 7 sites was discovered by a German PHP firm during a security audit for one of their clients. It was quickly announced and a patch as well as an update were released. While many sites are still waiting to be updated, we wanted to bring you the overall picture of the situation.

How Many Sites Are Affected?

Every site that uses Drupal 7 is affected. Sites that use Drupal 6 or even 5 are not affected by this attack. Attacks are still ongoing as programmers around the world work to update their sites with the fix to Drupal 7.

Patch or Major Update?

To fix the solution, developers can choose from a security patch or a major update to core. 

  • Patch - If your site is many versions old, jumping several versions forward may affect dependencies on the site. For example, Drupal 7.16 made some changes to their API and updating from Drupal 7.15 or less will need thorough testing. If you have already been hacked, the patch is not going to work.
  • Update - This is the recommended option as it provides the latest version of Drupal Core (the base feature set that Drupal gives when downloaded). There will be no side-effects whatsoever if you are upgrading from Drupal 7.31. Like the patch, if your system has already been compromised, this will not remove existing exploits. It will simply prevent future attacks.

Is Drupal in Danger?

Given all the security issues that have affected people just this year alone, Drupal only dealt with a couple of those directly. The majority are not related to every Drupal site.

  • Best practices - If developers are following best practices and doing regular maintenance, then your site is only affected by the adverse issues like this one.
  • Open source community - Drupal has such an active communinty working and supporting it that the process to identify, announce and solve issues is quick.

Is a Maintenance Plan Worth it?

Even if these critical issues only happen once in a blue moon, there are other issues that happen more often. These happen when your site doesn't get the latest module updates or use the latest Drupal core updates. The reason that the updates exist is because someone patched an error in the previous version.

We recommend that you have a plan in place for monthly updates so when they need fixing, it takes less time to get it done.

In Review...

Whether you use the patch or update core, the important thing is to ensure your Drupal site is secure. We have been working hard to update sites for our clients, and recommend you do the same if you haven't already.