Drupal 7: Drupalgeddon Exploit

Drupal faced one of its biggest security vulnerabilities recently. It was so bad, it was dubbed “Drupalgeddon”. It affected every single site that was running Drupal 7.31 (latest at the time) or below, as you can read in this Security Advisory.

The exploit could be executed via SQL Injection. The problem was in the expandArguments() method in abstract DatabaseConnection class (\drupal7\includes\database\database.inc) extending PDO. In this method, under the nested foreach loop iterating over the $data array as $i => $value, the $i variable is never sanitized as it is assumed to be a incrementing integer. However, this is not actually the case when posting inputs with the name attribute as arrays, such as:

The above will be posted as:

In this case, you will actually be iterating over the pass array with $i being ‘pass1‘ and ‘pass2‘. All other inputs are sanitized, except for these. This is where SQL could have been injected to exploit any website running Drupal.

Drupalgeddon SQL Injection

Drupalgeddon Injected SQL

Drupalgeddon Hacked

This vulnerability could be easily fixed with wrapping the $data array with the array_values() function, although you could have also updated to Drupal 7.32. This function makes any associative array into a regular array with incrementing keys.



Drupalgeddon was such a major issue because it affected every single version of Drupal 7 before the 7.32 security update addressing the issue. It’s security risk was rated at 25/25 by the Drupal Security Team. It was also such as easy way to inject SQL. In addition, hours after posting the Security Advisory, there was a Public Service Announcement revealing backdoors were implemented, and would remain even after upgrading to 7.32 providing continuous access to your site from hackers.

This post was created with a video for Google Code-In 2014 to explain Drupalgeddon, and why it was such a major issue.

Author: Akshay Kalose

A teenager, who is interested in Computer Science, Information Technology, Programming, Web Designing, Engineering and Physical Sciences.

One thought on “Drupal 7: Drupalgeddon Exploit”

Leave a Reply

Your email address will not be published. Required fields are marked *