SQL Injection Attack on Webform

Created on 30 January 2025, 7 days ago

Updated 2 February 2025, 3 days ago

I have identified a critical security issue in my Drupal website Webform where an attacker is injecting SQL code and automatically submitting the form. This poses a severe risk as it can lead to database exploitation, downtime, or unauthorized data access. I have received 300 emails within one hour due to this attack.This Sql Code automatically generate webform submissions.

Below are some of the payloads observed in the Webform submissions:

-5) OR 617=(SELECT 617 FROM PG_SLEEP(15))--
(SELECT (0) FROM (SELECT (SLEEP(15))) v)/*'+(SELECT (0) f
LOAE450H'; WAITFOR DELAY '0:0:1'

🐛 Bug report

Status

Active

Version

6.2

Component

Code

Created by

🇮🇳India rajeevcoder

Live updates comments and jobs are added and updated live.

webform

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 3 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
Comment 3 days ago →
🇯🇵Japan ilfelice
Howdy,

As a temporary workaround, the Honeypot module may work to mitigate the risk.
Comment 3 days ago →
🇮🇹Italy apaderno Brescia, 🇮🇹

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024