In association with heise online

10 December 2007, 10:29

Security updates for Drupal CMS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the Drupal CMS have released an advisory in which they identify a potential SQL injection vulnerability. The taxonomy_select_nodes function injects unverified variables into SQL queries, allowing arbitrary instructions to be passed to the database via specially crafted variables. Attackers may exploit this vulnerability to extract protected database contents or even manipulate database contents.

Although the taxonomy module verifies contents before passing them on, additional modules contributed by different suppliers may not do so, but may instead pass unfiltered parameters to the function. The advisory states that this applies to taxonomy_menu, ajaxLoader and ubrowser for example. According to the developers, Drupal versions up to 4.7.9 and 5.4 are affected. Updated versions 4.7.9 and 5.4 were released to resolve the problem. However this update introduced a critical but non-security flaw. Therefore, versions 4.7.10 and 5.5 have now been made available for download. The developers have also released patches which users may apply as an alternative.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit