Platform.sh and Drupal 7.32 Core SQL Injection
On October 15, 2014, the Drupal Security Team released Drupal 7.32 to remedy a severe SQL injection vulnerability in core. Platform.sh took immediate actions to protect all Drupal customers. Here is the list of specific actions that have been taken, and some answers to questions that our customers have asked us.
Steps taken by Commerce Guys:
All customers have been contacted directly with instructions for eliminating the vulnerability.
Platform.sh is able to recognize whether a Drupal site is vulnerable to this attack. Whenever the vulnerability is detected, this is what happens:
On Platform.sh Standard production sites, POST requests are blocked, and GET requests are sanitized (query strings, cookies, and custom headers are stripped). This allows your site to remain online, although it will not be functional as a CMS.
On Platform.sh Standard development sites, access is denied outright and a message is shown with instructions to fix the problem.
Platform.sh Enterprise customers, as well as customers with application support packages, will have their sites updated directly by the Platform.sh team. They will be contacted to confirm this patch is being managed for them, so if you didn’t get contacted you need to perform this update yourselves.
As soon as your Drupal site has been upgraded to 7.32, or patched manually, the security measures above will be deactivated and your site will operate normally. Note that every environment needs to be updated (via Git push, Synchronize, or Merge).
How will the site be blocked?
If you are trying to access a Drupal site hosted on Platform.sh and see this message, Platform.sh has blocked your request.
We apologize, but this page is not currently accessible. The site administrator has been informed and we hope to have the issue resolved soon.
Once the Drupal site has been updated, this message will disappear and the site will return to normal.
How do I apply the security upgrade?
On Platform.sh, it depends on the way you deployed your website:
- If you are deploying your website with the Drush Make workflow, simply edit your
project.makefile and replace the Drupal core version with
projects[drupal][version] = 7.32.
- If you are using a distribution of Drupal (Drupal Commons, Commerce Kickstart, etc.) that is not yet updated, add:
projects[yourcoreprojectname][patch] = "<link to the patch>"to the project.
- If you are deploying your website manually (“vanilla mode”), apply this patch manually.
Remember, for customers who subscribe to Platform.sh Enterprise, Developer Support, and Application Support packages, the patch will be made for you.
If you are a Platform.sh Standard customer, you need to apply the patch yourself, otherwise a protective block will be placed on only the sensitive pages until the patch is applied.
This is terrible, I can’t afford to have downtime!
You’re right. However, this particular security announcement from the Drupal Security Team is particularly nasty as it reveals a security hole that is both easy to exploit and can be used to completely infiltrate your site. Being hacked is worse than downtime, which is why the Platform.sh team has taken steps to help guarantee that no security breach takes place.