Hacker News new | ask | show | jobs
by anonfunction 4263 days ago
> Full SQL injection, which results in total control and code execution of Website.

Well that doesn't sound good. Drupal.org itself is still running[1] on the unpatched version 7.3.1 which sends a message of how likely sites are to be updated.

[1] https://www.drupal.org/CHANGELOG.txt
1 comments
TacticalMalice 4263 days ago
Drupal.org is patched and has been for weeks.
link
pearjuice 4263 days ago
That's impressive given the exploit is a day old.
link
antsar 4263 days ago
FTFA:

> Disclosure Timeline:

> 16. Sep. 2014 - Notified the Drupal devs via security contact form

> 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers

link
pearjuice 4263 days ago
Ah, must have overlooked the months. Makes me wonder why they left this in the wild for a month and now suddenly put thousands of installations at risk.
link
TacticalMalice 4263 days ago
> now suddenly put thousands of installations at risk

There's a solution that goes with the advisory. You cannot provide a patch without putting sites at risk.

Furthermore, the vulnerability was present since the Drupal 7.0 release, several years ago. There were no exploits seen in the wild. What are a few weeks then?

The team decided that speed to patch sites asap _after_ release of the information was critical. This is the reason why it was released after a pre-announcement and after a conference tying up most stakeholders.

link
TacticalMalice 4263 days ago
Drupal.org was a qa testcase for the patch.
link