| Scoutnet vzw http://forum.scoutnet.be/ |
|
| [Drupal] Security announcements: Profile search - SQL Inject http://forum.scoutnet.be/viewtopic.php?f=19&t=2139 |
Pagina 1 van 1 |
| Auteur: | To [ 18 Jun 2008 18:09 ] |
| Titel: | [Drupal] Security announcements: Profile search - SQL Inject |
------------SA-2008-036 - PROFILE SEARCH - SQL INJECTION------------ * Advisory ID: SA-2008-036 * Project: Profile Search (third-party module) * Versions: 5.x * Date: 2008-July-18 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities ------------DESCRIPTION------------ The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL injection attacks. These attacks may lead to administrator access. ------------VERSIONS AFFECTED------------ * Profile search 5.x releases prior to 5.x-1.0. Drupal core is not affected. If you do not use the contributed Profile search module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * If you currently use Profile search 5.x, upgrade to Profile search 5.x-1.0 [ http://drupal.org/node/272061 ] See also the Profile search project page [ http://drupal.org/project/profilesearch ]. ------------REPORTED BY------------ This issue was reported by Larry Garfield (Crell [ http://drupal.org/user/26398 ]), who has now taken over maintenance of the module. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
|
| Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|