This is a bit late on the #drupalgeddon // #drupslsa05 post, but the need to update is just too alarming to go unmentioned. Like this tweet from @outlandishjoshEssentially there is a flaw in how Drupal processes its PDO placeholders that allows anonymous users to provide a remote SQL injection from a simple URL query. A quick proof on concept was in a Reddit comment. Scripts are popping up all over the place, which means this will burn like wild fire. Not sure how to fix? You can update Drupal core wholesale or manually apply the patch.
I'll update w/more on what we're seeing later today, but it is clear: Black-hats are exploiting #drupslsa05 already. This is not a drill.— Josh Koenig (@outlandishjosh) October 16, 2014