Commanding Chaos for Coworking, Open Source and Creative Communities

Follow up on Drupal SA-2014-005, SQL Injection | Drupal.org

Mon, 12/15/2014 - 10:39 -- rprice

the PSA also resulted in a large volume of press coverage – in fact much more coverage than the original disclosure of the vulnerability on October 15th. Not surprisingly, the general tone of the press coverage was quite negative. Unfortunately, some of the coverage was also inaccurate which we’d like to address here as well as provide additional context regarding our security processes. While we don’t know the total number of Drupal sites affected, the number is not near 12 million as stated in several publications. Unless disabled, individual Drupal sites report their existence back to Drupal.org and this system reports around 1 million total Drupal sites. While this is not an exact measure of live Drupal sites we can infer that the affected number of specifically vulnerable Drupal 7 sites is more likely to be under 1 million. SA-CORE-2014-005 was certainly a severe issue, if not the most severe issue in Drupal’s history;