Drupal core 7.x SQL injection vulnerability
Description
A critical SQL injection vulnerability exists in the database abstraction API of Drupal core versions 7.0 through 7.31. The vulnerability allows unauthenticated attackers to bypass input sanitization mechanisms and inject malicious SQL queries through specially crafted HTTP requests. This pre-authentication flaw was discovered by Stefan Horst of SektionEins GmbH and affects all Drupal 7.x installations prior to version 7.32.
Remediation
Immediately upgrade Drupal core to version 7.32 or later, which contains the security fix for this vulnerability. Follow these steps:
1. Backup your database and files before performing any updates
2. Download Drupal 7.32 or later from the official Drupal website
3. Apply the update following Drupal's standard upgrade procedures
4. Review database logs and user accounts for signs of compromise, as this vulnerability may have been exploited prior to patching
5. Reset all user passwords if there is any indication of unauthorized access
For systems that cannot be immediately upgraded, consider implementing temporary mitigation measures such as restricting database user permissions and deploying web application firewall rules to filter malicious requests, though upgrading remains the only complete solution.