The security team for Drupal project is warning users that websites running unpatched installations of version 7 of the popular open source content management system (CMS) may be compromised by automated attacks.
"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15, 11pm UTC, that is 7 hours after the announcement," the security team said.
Attackers are presently attempting to exploit a Structured Query Language (SQL) command and data injection flaw in Drupal that was discovered two weeks' ago.
The flaw is rated as highly critical, scored 25 of a possible 25 by the group's own risk matrix, and may affect hundreds of thousands of websites around the world.
As of October this year, Drupal.org estimates that over 950,000 sites use version 7.x of the CMS. It is not known how many of these remain vulnerable to the SQL injection flaw.
PreviousNext's aGov Drupal 7 distribution forms the basis of the Australian government's govCMS. It is used by the departments of finance, social services, environment, and employment, as well as more than a hundred federal and state government agencies.
The attacks leave no trace, the Drupal security team said, and could result in all data from compromised sites being copied and used maliciously.
Furthermore, attackers may have installed backdoors for access to and control of sites using the vulnerability. The security team warned that simply updating Drupal to version 7.32 will not remove the malicious code.
It recommended that users take potentially compromised websites offline and restore them from backups prior to October 15, and to apply the security patch before bringing them up again.
Users are also advised to audit anything that is merged from compromised websites to ensure it has not been tampered with.
If restoring from backup is not possible, the Drupal security team recommends rebuilding sites from scratch, as backdoors can be extremely hard to find.