Widespread Drupal Bug at the Root of Indiana Government Breach

Popular content management system Drupal recently concluded that users who didn’t install the company’s latest bug patch within seven hours should consider their websites susceptible to hacks of all sorts.

The update was a fix for a newly identified glitch that can facilitate a “SQL injection” attack.

On Nov. 3, “Indiana's Department of Education glimpsed the dark side of patch management, after administrators discovered that their website had been defaced,” CSO reports.

A person claiming to represent the Nigeria Cyber Army claimed responsibility for the vandalism, likely part of an Internetwide defacement sweep, and not a targeted assault.

The real source of the defacement, however, was a vulnerable Drupal installation, Indiana officials said.

Based on public evidence, the attacker’s likely entry point was a form on the site’s Staff Directory page.

The flaw in Drupal existed within an application that -- ironically – was supposed to prevent SQL injections. Due to the vulnerability, all previous versions of Drupal “are likely to have been targeted remotely by automated means,” according to CSO.

If exploited, an attacker can inject SQL queries -- which are rogue database commands -- or elevate access rights.

Exploitation can allow full control, and the ability to install backdoors for later infiltration.

Read the rest at ThreatWatch, Nextgov’s regularly updated index of cyber breaches.

And find out even more on “NG Cybersecurity,” our iPhone app.

(Image via ChromaWise/Shutterstock.com)