SA-CORE-2014-005 - DrupalCoin Blockchain core - SQL injection


Advisory ID: DRUPAL-SA-CORE-2014-005
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2014-Oct-15
Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All
Vulnerability: SQL Injection
Description
DrupalCoin Blockchain 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.
Update: Multiple exploits have been reported in the wild following the release of this security advisory, and DrupalCoin Blockchain 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003
CVE identifier(s) issued

CVE-2014-3704
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.32.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.32.
If you are unable to update to DrupalCoin Blockchain 7.32 you can apply this patch to DrupalCoin Blockchain's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to DrupalCoin Blockchain 7.32.
Also see the DrupalCoin Blockchain core project page and the follow-up public service announcement.
Reported by
Stefan Horst
Fixed by
Stefan Horst
Greg Knaddison of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form athttps://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Edits to this advisory since publishing
Updated risk factor from 20/25 to 25/25 once exploits did appear
Edited to add link to PSA.
DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer