New Proof of Concept for the 2 week old Drupal vulnerability
The Drupal Security team says that you should assume every Drupal website not patched on October 15th was infected.
A SQL injection attack went around the Internet in an automated fashion.
And the details are:
In this code we see, that Drupal gives the value of the $_COOKIE[$insecure_session_name] directly to the vulnerable SQL function. This fact can be exploited to get a working session for the Admin user. To do so we inject this SQL query:
UNION SELECT '$user_id','$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,'$user_id','$session_id','','127.0.0.1',0,0,null -- So now even https is infected.