Week 11 Readings and News Articles

Reading – SQL Injection Tutorial
———————————-
It is very important when creating a website available for public use, to test for vulnerabilities which let users modify the URL in such a way they can malicously connect to the database and extract/modify and even
delete data all from a common browser. It is very easy to check for this vulnerability as noted in the reading.  WebCruiser, a common Web vulnerability tool which will aid in the audit process.

Weekly Article
—————–
http://www.theregister.co.uk/2014/10/16/drupal_megavuln_sql_injection/

Drupal SQL injection nasty leaves sites ‘wide open’ to attack

Drupal before coming up with a patch for Version 7 (7.3), those not on the new version were vulnerable to SQL Injection attacks. Since many people create their sites in Drupal mostly (in my opinion) because their lack of programming knowledge, many if not all of these sites running version  7 and before share the same vulnerability, since their code is set up in almost the same fashion and from what I am told, it is not difficult to find sites using these version simply by using a simple Google search. A German Security Firm discovered the flaw and it has be stated that a malicious user can exploit these vulnerabilities without any kind of authentication. The make matters worse, the vulnerability was sitting in the public domain in Drupal’s public bug tracking database since November 2013 (this article was written in October 2014).