Protection against a critical Drupal security bug

The authors of the Drupal CMS software recently announced a “highly critical” Drupal security bug (CVE-2014-3704). This vulnerability is being very widely exploited: If you use Drupal 7 on a server without protection, and you haven’t upgraded to Drupal 7.32, your site is soon going to be compromised (taken over by “hackers”).

To protect our customers who have installed Drupal, yesterday we added security rules to block the common attacks. And today, we “patched” the vulnerable “database.inc” file on every copy of Drupal on our servers, blocking the more complicated attacks that we expect to see in the future.

So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. So if you’ve installed the Drupal 7 software on your site, please make absolutely sure you’ve upgraded to version 7.32 today.

Can I see the mod_security rules?

Although our customers are fully protected, we’re often asked to share our mod_security rules when we post something like this. If you’re the technical person running a server for other people who use unpatched Drupal, these rules will stop the most common automated attacks against the Drupal login page:

SecRule SCRIPT_BASENAME "^(index\.php)?$" "deny,auditlog,chain"
SecRule ARGS:form_id "^user_login_block$" "chain"
SecRule ARGS_NAMES "^name\["

But note that other forms in Drupal are almost certainly vulnerable to the same bug, and these rules won’t catch them. Upgrading to 7.32 or patching the vulnerable “database.inc” file is the only proper fix.