Language Selection

English French German Italian Portuguese Spanish

Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites

Submitted by Rianne Schestowitz on Wednesday 15th of April 2015 07:21:13 PM Filed under
Drupal
Security

On October 29, 2014, the Drupal Security Team released advisory identifier DRUPAL-PSA-2014-003. This advisory informed administrators of Drupal-based Web sites that all Drupal-based Web sites utilizing vulnerable versions of Drupal should be considered compromised if they were not patched/upgraded before 2300 UTC on October 15, 2014 (seven hours following the initial announcement of the vulnerability in SA-CORE-2014-005).

In the case of the Drupageddon vulnerability, the database abstraction layer provided by Drupal included a function called expandArguments that was used in order to expand arrays that provide arguments to SQL queries utilized in supporting the Drupal installation. Due to the way this function was written, supplying an array with keys (rather than an array with no keys) as input to the function could be used in order to perform an SQL injection attack.

Read more

»

More in Tux Machines

Ubuntu Leftovers

  • How to Create an ISO from Current Installation in Ubuntu 20.04 – Linux Hint

    In Ubuntu, most programs and operating systems can be installed through the ISO file. The ISO file format is a live identical image of the specific operating environment that contains all required installation files. Another name used for ISO files is a disc image. So, an ISO file is a perfect duplicate of the content of an optical disc, such as DVD and CD images. An ISO file is a package that consists of installation directories in an ISO format. Users can create a backup of their current installation in an ISO file format. The ISO file can also be used as an external drive, or you can make a bootable USB. if you have an ISO file, then you can create the installation disc by burning the image to a CD or USB. This article shows you how to create an ISO file from a currently installed Ubuntu 20.04 system. You can create an ISO file from the current installation of Ubuntu 20.04 using any of the following methods.

  • How to Install Security Updates in Ubuntu 20.04 – Linux Hint

    An essential part of using any operating system is to check for security updates from time to time. It can be difficult to keep track of security updates all the time. One of the easiest ways to keep your Ubuntu system secure is by upgrading your software packages. New versions add the latest features available, and system security is increased by updating programs frequently. This guide shows you how to install security updates in Ubuntu 20.04, which will be performed by upgrading security packages.

  • How To Use the C Programming Language in Ubuntu 20.04 – Linux Hint

    C is an excellent procedural programming language for beginners who want to learn how to program. Many applications, including databases and operating systems, use this general-purpose programming language for development. The C language is popular among new learners because it is not only easy to use but also helps programmers to better understand the internal architecture of the computer. C is the first step into the programming world, and after learning the C programming language, it will not be as difficult to learn other programming languages. Moreover, the C language is portable, as programs written in this language can be transferred to various platforms without requiring any changes to the code. This article shows you how to use the C programming language in Ubuntu 20.04 (LTS) and 20.10.

  • What is build-essential Ubuntu, how to install and use it? – Linux Hint

    The build-essentials packages are meta-packages that are necessary for compiling software. They include the GNU debugger, g++/GNU compiler collection, and some more tools and libraries that are required to compile a program. For example, if you need to work on a C/C++ compiler, you need to install essential meta-packages on your system before starting the C compiler installation. When installing the build-essential packages, some other packages such as G++, dpkg-dev, GCC and make, etc. also install on your system. Above, we have described what the build-essential packages are. In the rest of the article, we will explain how to install and use build-essentials on Ubuntu systems. All terminal commands we have executed on Ubuntu 20.04 system in this article. Let’s dive into the depths!

  • Learning Dart & Flutter

    My employer, Canonical - recently announced we’re working with the Flutter developers to bring their platform to the Linux desktop. My interest was piqued. Personally I like the concept of writing applications which can run on many platforms. I sometimes dabble with game development engines like Construct3, GDevelop, Unity & Godot which all have multiple export options for different platforms. Having similarly powerful, cross-platform and open source tools for building mobile and desktop (non-game) applications is welcome in my book.

  • The Fridge: Ubuntu Weekly Newsletter Issue 673

    Welcome to the Ubuntu Weekly Newsletter, Issue 673 for the week of February 28 – March 6, 2021. The full version of this issue is available here.

Best Hex Editors for Linux

This article will list useful hex editor applications available for Linux. Hex editors allow you to modify pre-compiled binary files whose source code is typically not available to change. They work by browsing binary data present in a file and then presenting the data in hexadecimal notation to users. Hex editors can also show partial or full ASCII data depending on the contents of the file. These hex editors allow you to change hexadecimal values, thereby allowing users to modify file behavior even if they don’t have access to source code. However, the data represented by a hex editor is not exactly human readable. Reading and interpreting hexadecimal values to infer program logic and behavior is not an easy task by any means and it takes considerable efforts to find values and make even the smallest of change. A hex editor is one of the first tools used while reverse engineering a file. Read more

LibreOffice Online with Team Editing Collaboration

Continuing the intro, now we will try LibreOffice Online with team collaboration. This allows you and friends (a team) altogether to edit a document simultaneously via the internet. It supports computer, laptop, as well as Android device users. How to do that? This simple tutorial explains it step by step for you. [...] Once a friend clicked the link, he/she will open your document on the web browser, asked for a name, asked for the password if any, and finally can edit the document together with you at the same time. The name asked will be used as identifier when a team working together. Read more

Security Leftovers

  • Feeding Frenzy as criminal groups stake their claim on Outlook Web Access servers

    This weekend, several days after the Patch Tuesday when Microsoft released fixes for the ProxyLogon vulnerability, Netcraft found more than 99,000 unpatched Outlook Web Access servers accessible on the internet — of which several thousand have clear evidence of one of more web shells installed. Outlook Web Access (OWA) provides remote access to on-premises Microsoft Exchange mailboxes. While a treasure trove of corporate email is a tempting enough target itself, it can also act as jumping-off point for deeper network access. Vulnerable versions allow unfettered remote access to the mail server. Originally attributed to the Hafnium group, the variety of different web shells and file naming conventions found by Netcraft suggest that the shells belong to multiple groups who have been spurred into action since Microsoft’s announcement by the scale of the opportunity.

  • A Basic Timeline of the Exchange Mass-Hack

    Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange? Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCORE who goes by the handle “Orange Tsai.” DEVCORE is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2.

  • David Tomaschik: BSidesSF 2021 CTF: Encrypted Bin (Author Writeup)

    I thought I’d do a walk through of how I expected players to solve the challenge, so I’ll write this as if I’m playing the challenge. Visiting the web service, we find an upload page for text and not much else. When we perform an upload, we see that we’re redirected to a page to view the encrypted upload...

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6