Another critical vulnerability in Drupal 7

Following a vulnerability in XML-RPC , Sektion Eins recently found a vulnerability that affects all versions of the 7th branch. It allows you to perform an arbitrary SQL query in the Drupal database without having any rights in the system. The danger is defined as the highest. On October 15, a kernel update was released to version 7.32 that eliminates this vulnerability. Developers are strongly advised to update the kernel immediately. Updating does not take a lot of time, you only need to update the file /includes/database/database.inc. Save the site before the upgrade can only block the site, maintenance mode does not help.

The vulnerability was in the function of processing values ​​for the SQL query. When processing an array for the SQL IN function, it is assumed that this is not an associative array, the keys are involved in the formation of the name of the placeholder. If you pass an associative array with specially formed keys to the function, you can interfere with the SQL query.

The network has exploits for changing the password for the superadmin of the system (a Drupal user with ID = 1). However, nothing prevents to remake them for any user and system. It is necessary to immediately update and distribute this information as widely as possible.
')
Curious information: information about this vulnerability appeared in the Drupal bugtracker more than 11 months ago, but the information did not reach the security team. Now developers have to explain why this happened and what they did to reduce the likelihood of a repeat of this situation.

PS: As prompted by Razunter in the released 8.0.0-beta2, the same vulnerability for the 8th branch is also fixed.