1 comment

[ 3.6 ms ] story [ 17.3 ms ] thread
> its portal used by customers to access sensitive data was run on a three-year-old version of Drupal, 7.23

Drupal 7.23 is vulnerable to https://www.drupal.org/SA-CORE-2014-005. Anyone who's ever read a Wikipedia article on SQL injection could have had shell access to that site. As a Drupal core contributor, I've always felt a small irrational amount of guilt for not catching that defect. But today suddenly I feel just a tiny bit better.