3

Recently, CVE-2014-3704 was in the news. This vulnerability allows attackers to execute SQLi without the need of being logged in. However, I've looked to the available exploits, and I found only exploits that make use of the login form. Does this mean that when the access to the log in field is restricted (IP white list), there is no risk (as long as they cannot access the log in form? Or is it possible to exploit this on a different Drupal component as well?

Some share of thoughts would be appreciated!

f4der
  • 131
  • 1

3 Answers3

1

According to the Drupal advisory:

This vulnerability can be exploited by anonymous users.

According to this answer:

I can confirm, that this vulnerability will work with every Drupal 7.31 and lower site, doesn't matter which modules are active. Every drupal form could be used to exploit this vulnerability.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
1

All you need access to is any page on the site.

There is a blog post of some advanced proof-of-concept code from the person who originally found the vulnerability. These proofes of concept show:

  • Using the cookie contents to get a session for an arbitrary user.
  • Using the form api in a cookie to execute arbitrary php (while leaving no traces in the logs)

I haven't tested these myself, but have a high degree of confidence they would work.

greggles
  • 560
  • 1
  • 8
  • 20
0

The SQL injection required a Drupal form. The login form is ubiquitous. It's placed on the Drupal site by default, so it's most likely to show up in targets.

If there was another form on the website, it could be used for the attack as well.

Ohnana
  • 4,737
  • 2
  • 23
  • 39