Immunity Canvas: DRUPAL_NAME_SQLI_CALLBACK

2014-10-15T20:55:06
ID DRUPAL_NAME_SQLI_CALLBACK
Type canvas
Reporter Immunity Canvas
Modified 2014-10-15T20:55:06

Description

Name| drupal_name_sqli_callback
---|---
CVE| CVE-2014-3704
Exploit Pack| CANVAS
Description| Drupal injection exploit
Notes| CVE Name: CVE-2014-3704
VENDOR: drupal.org
Notes:

This exploit tries to open a php callback to canvas by injecting php code
in Drupal's login block through the database sql injection.

Repeatability: Infinite
References: https://www.drupal.org/SA-CORE-2014-005
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704