Drupal 7.32 and why you need to upgrade, how to fix it.

Published on Thursday 16, October 2014
This is a bit late on the #drupalgeddon // #drupslsa05 post, but the need to update is just too alarming to go unmentioned. Like this tweet from @outlandishjosh
Essentially there is a flaw in how Drupal processes its PDO placeholders that allows anonymous users to provide a remote SQL injection from a simple URL query. A quick proof on concept was in a Reddit comment. Scripts are popping up all over the place, which means this will burn like wild fire. Not sure how to fix? You can update Drupal core wholesale or manually apply the patch.

Update: if you use CloudFlare, extra protection


Method 1: Apply patch manually. It's a quick one-line change.

Method 2: Drush

You can use Drush's update function to update Drupal on your current site. Simply run 'drush up' and update your Core.

Issues where Drush can't find 7.32

There's an issue where Drush's cache prevent it from seeing the new release (Drupal.org issue.) The resolution is to run "drush rf" to force it to clear any cache_update table entries. Unfortunately that didn't work in my case as I use Vagrant and make files. In order to get Drush to discover the new version I had to manually purge the file cache for the release history. This can simply be done with the following command (Mac OS X / Linux) rm $HOME/.drush/cache/download/http---updates.drupal.org-release-history-drupal-7.x