Security updates for Drupal CMS
The developers of the Drupal CMS have released an advisory in which they identify a potential SQL injection vulnerability. The taxonomy_select_nodes function injects unverified variables into SQL queries, allowing arbitrary instructions to be passed to the database via specially crafted variables. Attackers may exploit this vulnerability to extract protected database contents or even manipulate database contents.
Although the taxonomy module verifies contents before passing them on, additional modules contributed by different suppliers may not do so, but may instead pass unfiltered parameters to the function. The advisory states that this applies to taxonomy_menu, ajaxLoader and ubrowser for example. According to the developers, Drupal versions up to 4.7.9 and 5.4 are affected. Updated versions 4.7.9 and 5.4 were released to resolve the problem. However this update introduced a critical but non-security flaw. Therefore, versions 4.7.10 and 5.5 have now been made available for download. The developers have also released patches which users may apply as an alternative.
- Drupal core - SQL Injection possible when certain contributed modules are enabled, advisory on Drupal.org