Хостинг от ERA Host
EraHost – Free Domain, Cheap Hosting!
Client Area
Support 24/7
USD

Select Currency

USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia
AED - United Arab Emirat...United Arab Emirates Dirham
AMD - Armenian Dram
AOA - Angolan Kwanza
ARS - Argentina Peso
AWG - Aruba Guilder
AZN - Azerbaijanian Mana...Azerbaijanian Manat
BAM - Bosnian Convertibl...Bosnian Convertible Marka
BDT - Bangladesh Taka
BGN - Bulgarian Lev
BHD - Bahraini Dinar
BIF - Burundian Franc
BMD - Bermudian Dollar
BND - Brunei Dollar
BOB - Bolivian Boliviano
BRL - Brazilian Real
BSD - Bahamian Dollar
BTN - Bhutanese Ngultrum
BWP - Botswana Pula
BZD - Belize Dollar
CLP - Chilean Peso
CRC - Costa Rican Colon
CVE - Cape Verdean Escud...Cape Verdean Escudo
CZK - Czech Koruna
DJF - Djiboutian Franc
DKK - Danish Krone
DOP - Dominican Peso
DZD - Algerian Dinar
EGP - Egyptian Pound
ETB - Ethiopian Birr
FJD - Fijian Dollar
FKP - Falkland Island Po...Falkland Island Pound
GEL - Georgian Lari
GGP - Guernsey Pound
GHS - Ghanaian Cedi
GMD - Gambian Dalasi
GTQ - Guatemalan Quetzal
GYD - Guyanese Dollar
HKD - Hong Kong Dollar
HNL - Honduran Lempira
HRK - Croatian Kuna
HUF - Hungarian Forint
ILS - Israeli New Shekel
IMP - Isle of Man Pound
ISK - Icelandic Krona
JEP - Jersey Pound
KES - Kenyan Shilling
KGS - Kyrgystani Som
KMF - Comorian Franc
KRW - South Korean Won
KWD - Kuwaiti Dinar
KZT - Kazakhstani Tenge
LAK - Lao Kip
LKR - Sri Lankan Rupee
LRD - Liberian Dollar
LSL - Lesotho Loti
LTL - Lithuanian Litas
LVL - Latvian Lats
MAD - Moroccan Dirham
MDL - Moldovan Leu
MKD - Macedonian Denar
MNT - Mongolian Tugrik
MOP - Macanese Pataca
MRO - Mauritanian Ouguiy...Mauritanian Ouguiya
MUR - Mauritian Rupee
MVR - Maldivian Rufiyaa
MXN - Mexican Peso
MYR - Malaysian Ringgit
MZN - Mozambican Metical
NAD - Namibian Dollar
NIO - Nicaraguan Cordoba...Nicaraguan Cordoba Oro
NOK - Norwegian Krone
NPR - Nepalese Rupee
NZD - New Zealand Dollar
OMR - Omani Rial
PEN - Peruvian Nuevo Sol
PGK - Papua New Guinean...Papua New Guinean Kina
PKR - Pakistani Rupee
PLN - Polish Zloty
PYG - Paraguayan Guarani
QAR - Qatari Riyal
RON - Romanian New Leu
RSD - Serbian Dinar
RWF - Rwandan Franc
SAR - Saudi Riyal
SBD - Solomon Islands Do...Solomon Islands Dollar
SCR - Seychellois Rupee
SEK - Swedish Krona
SGD - Singapore Dollar
SHP - St. Helena Pound
SRD - Surinamese Dollar
SVC - Salvadoran Colon
SZL - Swazi Lilangeni
THB - Thai Baht
TJS - Tajikistani Somoni
TMT - Turkmenistani Mana...Turkmenistani Manat
TND - Tunisian Dinar
TOP - Tongan Pa`anga
TWD - New Taiwan Dollar
UYU - Uruguayan Peso
WST - Samoan Tala
ZMW - Zambian Kwacha
Menu
EraHost – Free Domain, Cheap Hosting!
Хостинг от ERA Host
  • Registration
  • 24/7 Support
    24/7 Support
Home  ›  Blog  ›  Website Security

CVE-2014-3704: Emergency Security Patch for Drupal (Drupalgeddon)

Table of Contents: Critical Vulnerability Overview Prerequisites & Backup Download the Official Patch Apply the Patch Verify & Test the Patch Monitor for Exploitation Additional Hardening Measures Summary
Applying Drupal Security Patch for Critical Vulnerability
CRITICAL SECURITY ALERT: CVE-2014-3704, also known as "Drupalgeddon," is an extremely severe SQL injection vulnerability in Drupal 7 core. It allows remote attackers to execute arbitrary SQL commands without authentication, potentially leading to full site compromise, data theft, and malware installation. All Drupal 7 sites running versions prior to 7.32 are affected.

If you cannot immediately upgrade your Drupal site to version 7.32 or later, this guide will walk you through manually applying the official security patch as an emergency mitigation.

Critical Vulnerability Overview

  • CVE ID: CVE-2014-3704
  • Drupal Advisory: SA-CORE-2014-005
  • Affected Versions: Drupal 7.x versions before 7.32
  • Vulnerability Type: SQL Injection via the expandArguments() function in the database API.
  • Impact: Allows unauthenticated attackers to execute arbitrary SQL code on your database, leading to administrator account creation, data exfiltration, code execution, and complete site takeover.
Important: This patch is a temporary emergency measure. The only complete solution is to upgrade Drupal to the latest secure version (Drupal 7.x is end-of-life as of January 2025). Plan for an immediate upgrade after patching.

Prerequisites & Backup

Before touching any files, create comprehensive backups to ensure you can recover in case of errors.

1. Backup Your Site Files

tar -czvf drupal_backup_$(date +%Y%m%d).tar.gz /path/to/your/drupal/installation

2. Backup Your Database

mysqldump -u YOUR_DB_USER -p YOUR_DATABASE_NAME > drupal_db_backup_$(date +%Y%m%d).sql

3. Identify Your Drupal Version

Confirm you are running a vulnerable version.

cd /path/to/drupal drush status | grep "Drupal version" # OR check manually: cat includes/bootstrap.inc | grep "define('VERSION'"

If the version is less than 7.32 (e.g., 7.31, 7.30), proceed.

Download the Official Patch

Download the patch file directly from the official Drupal security team.

cd /path/to/drupal wget https://www.drupal.org/files/issues/SA-CORE-2014-005.patch # OR using curl: curl -O https://www.drupal.org/files/issues/SA-CORE-2014-005.patch

Verify the file was downloaded:

ls -la SA-CORE-2014-005.patch

Apply the Patch

1. Navigate to Your Drupal Root

cd /path/to/your/drupal/installation

2. Apply the Patch

patch -p1 < SA-CORE-2014-005.patch

Expected Successful Output:

patching file includes/database/database.inc
patching file includes/database/mysql/database.inc
patching file includes/database/pgsql/database.inc
If the patch fails: If you see errors like "Reversed (or previously applied) patch detected", the patch may already be applied. If you see "Hunk FAILED", your Drupal core files may have been modified (e.g., by another module). You may need to restore the original database.inc files from a clean Drupal 7.31 package before applying.

3. Clear Drupal Cache

Clear all caches to ensure the patched code is loaded.

drush cache-clear all # If you don't have Drush: # 1. Log into Drupal admin # 2. Go to Configuration > Performance # 3. Click "Clear all caches"

Verify & Test the Patch

1. Verify the Patch Was Applied

Check the modified file to confirm the security fix is in place.

grep -n "is_array" includes/database/database.inc

You should see new lines added around the expandArguments() function that include array checking logic.

2. Test Site Functionality

  1. Browse your website as a normal user.
  2. Log in as an administrator and check the admin panels.
  3. Test any critical forms (user login, contact forms, search).

3. Check Error Logs

# Check Drupal watchdog logs (via Drush) drush watchdog-show --count=20 # Check recent PHP/Apache/Nginx errors sudo tail -50 /var/log/apache2/error.log # OR sudo tail -50 /var/log/nginx/error.log

Monitor for Exploitation Attempts

Attackers aggressively scanned for and exploited this vulnerability. Check your logs for signs of compromise.

1. Search for Exploitation Patterns in Web Server Logs

sudo grep -i "SA-CORE-2014-005\|CVE-2014-3704\|expandArguments" /var/log/apache2/access.log # Look for suspicious query patterns: sudo grep -E "(node.*destination|uid\[.*\]\[table\]=users)" /var/log/apache2/access.log

2. Check for Unexpected Administrator Users

# In your database: mysql -u root -p -e "SELECT uid, name, mail, created FROM users WHERE name LIKE '%admin%' OR name LIKE '%test%' ORDER BY created DESC LIMIT 10;" drupal_database

3. Indicators of Compromise (IoC)

  • New, unexpected administrator users (especially created around the time of the vulnerability disclosure in October 2014).
  • Unknown or modified PHP files in the sites/ directories.
  • Unexpected cron jobs or database entries.
If you suspect compromise: Assume your site is fully compromised. Do not just patch. You must:
  1. Take the site offline.
  2. Restore from a known-good backup from before October 15, 2014.
  3. Apply the patch to the clean backup.
  4. Change all passwords (database, admin, SSH).
  5. Conduct a full security audit.

Additional Hardening Measures

While waiting for a full upgrade, implement extra layers of defense.

1. Restrict Access with .htaccess (Apache)

If the site is for internal use, restrict IP access in your Drupal root .htaccess:

Order deny,allow
Deny from all
Allow from 192.168.1.0/24   # Your office network
Allow from 203.0.113.5      # Your static IP
Allow from 2001:db8::/32    # Your IPv6 range

2. Implement a Web Application Firewall (WAF)

  • Cloudflare: Enable WAF rules and block SQL injection patterns.
  • Sucuri: Site-level WAF and monitoring.
  • ModSecurity: Open-source WAF for Apache/Nginx.

3. File Integrity Monitoring

# Generate checksums of core files after patching find . -name "*.php" -type f -exec md5sum {} \; > /root/drupal_patched.md5 # Later, verify they haven't changed: md5sum -c /root/drupal_patched.md5 2>/dev/null | grep -v "OK"

Summary

Step Command / Action Purpose
1. Backup tar -czvf backup.tar.gz /path/to/drupal Create rollback point in case of failure
2. Download Patch wget https://www.drupal.org/files/issues/SA-CORE-2014-005.patch Get official fix from Drupal Security Team
3. Apply Patch patch -p1 < SA-CORE-2014-005.patch Apply security fix to vulnerable files
4. Clear Cache drush cache-clear all Load patched code into memory
5. Verify grep -n "is_array" includes/database/database.inc Confirm patch is applied correctly
6. Monitor Check logs for exploitation patterns Detect if site was attacked before patching
Final and Most Critical Step: Plan and execute a full upgrade to the latest supported version of Drupal. Drupal 7 reached end-of-life (EOL) in January 2025 and no longer receives security updates. Migrate to Drupal 10 or another modern CMS as soon as possible.

By following this guide, you can urgently mitigate the Drupalgeddon vulnerability while preparing for the necessary full upgrade to secure your website long-term.

Hosting

Cloud Solution

For You

VDS

Website Builders


Our services

Client Area

Contact

ICANN
18+ Service. By continuing to use this website, you agree to the use of cookies. More detailed information can be found on the "What are cookies"page.

Выберите валюту

USD - United States Dollar
EUR - Euro
GBP - British Pound
CAD - Canadian Dollar
CHF - Swiss Franc
JPY - Japanese Yen
AUD - Australian Dollar
RUB - Russian Ruble
TRY - Turkish Lira
CNY - Chinese Yuan
INR - Indian Rupee
UAH - Ukrainian Hryvnia
© 2006 - 2026 EraHost. All rights reserved