Drupal vulnerability has new POC

New Proof of Concept for the 2 week old Drupal vulnerability

The Drupal Security team says that you should assume every Drupal website not patched on October 15th was infected.

A SQL injection attack went around the Internet in an automated fashion.

And the details are:


In this code we see, that Drupal gives the value of the $_COOKIE[$insecure_session_name] directly to the vulnerable SQL function. This fact can be exploited to get a working session for the Admin user. To do so we inject this SQL query:

UNION SELECT '$user_id','$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,'$user_id','$session_id','','',0,0,null --

So now even https is infected.