------------SA-2008-075 - VIEWS - SQL INJECTION------------
* Advisory ID: DRUPAL-SA-2008-075
* Project: Views
* Versions: 6.x
* Date: 2008-December-16
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: SQL injection
------------DESCRIPTION------------
The Views module provides a flexible method for Drupal site designers to control how lists of content are presented.
When using an exposed filter on CCK [
http://drupal.org/project/cck ] text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection [
http://en.wikipedia.org/wiki/SQL_injection ] attacks against the site.
------------VERSIONS AFFECTED------------
* Versions of Views for Drupal 6.x prior to 6.x-2.2
Drupal core is not affected. If you do not use the Views module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version.
* If you use Views for Drupal 6.x upgrade to 6.x-2.2 [
http://drupal.org/node/347831 ]
Also see the Views project page [
http://drupal.org/project/views ].
------------REPORTED BY------------
* Peter Fisera (goatvirus [
http://drupal.org/user/360900 ])
* Mariano D'Agostino (dagmar [
http://drupal.org/user/154086 ])
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ] and by selecting the security issues category.
Aanmelden
Registreren
FAQ
Zoeken
