Widespread Drupal Bug at the Root of Indiana Government Breach

Popular content management system Drupal, which competes with WordPress, recently concluded that users who didn’t install the company’s latest bug patch within seven hours should consider their websites susceptible to hacks of all sorts.

The patch was a fix for a newly-identified glitch that can facilitate a “SQL injection” attack.

On Nov. 3, “Indiana's Department of Education glimpsed the dark side of patch management, after administrators discovered that their website had been defaced,” CSO reports.

A person claiming to represent the Nigeria Cyber Army claimed responsibility for the vandalism, likely part of an Internetwide defacement sweep.

The graffiti contained a simple statement:

"Hacked by cY63r M4R$#4L | Nigeria Cyber Army xD"

The real source of the defacement was a vulnerable Drupal installation, Indiana officials said:

"This morning, the Indiana Department of Education’s website was hacked due to an apparent Drupal vulnerability. However, there is no sign that any data hosted on the website was compromised. The Department’s Information Technology staff has taken the website down temporarily while this issue is addressed. It is currently anticipated that the website will be down at least through the rest of the day."

The vandalism was visible on every page of the website.

Based on public evidence, the attacker’s likely entry point was a form on the Staff Directory page.

The SQL injection flaw in Drupal existed within an application that - ironically – was supposed to prevent SQL injections. Due to the vulnerability, all previous versions of Drupal “are likely to have been targeted remotely by automated means,” according to CSO.

If exploited, an attacker can inject SQL queries, which are rogue database commands, or elevate access rights.

Exploitation would allow full control, and the ability to install backdoors for later infiltration, Drupal explained.