Drupal is an open source framework written in PHP and is ranked as the third most popular content management system by W3Techs. It has introduced a database abstraction API to prevent SQL injection attacks, so only sanitized queries will be executed. However, recently a highly critical SQL injection vulnerability was discovered in the API itself allowing attackers to execute arbitrary SQL queries. Successful exploitation may result in a complete system compromise.
Several exploits are already published. Most are exploiting this vulnerability to create an administrative account.
Mitigation using F5 ASM Attack Signatures
While running the SQLI exploit on an ASM protected application the attacker will be blocked by generic SQL injection signatures. Those signatures are part of the generic signature set that is assigned to any security policy by default.
The injection is inside a parameter name called “name”.
An example exploit vector will update the “users” table with a user named “owned”. The vulnerable parameter “name” will contain following SQL query:
name[0 ;update users set name='owned' , pass = <hash> where uid = '1';;# ]=test3
This exploit will trigger 3 signatures. Two of them (200002289, 200002248) will catch the attempt to update a certain table, while one (200005005) catches the attempt to specify the “uid” attribute (specifying user id), which is used in LDAP injection attacks as well.