Scoutnet vzw http://forum.scoutnet.be/ |
|
Drupal: Views - SQL Injection http://forum.scoutnet.be/viewtopic.php?f=19&t=2211 |
Pagina 1 van 1 |
Auteur: | jorisp [ 18 Dec 2008 11:16 ] |
Titel: | Drupal: Views - SQL Injection |
------------SA-2008-075 - VIEWS - SQL INJECTION------------ * Advisory ID: DRUPAL-SA-2008-075 * Project: Views * Versions: 6.x * Date: 2008-December-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: SQL injection ------------DESCRIPTION------------ The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. When using an exposed filter on CCK [ http://drupal.org/project/cck ] text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection [ http://en.wikipedia.org/wiki/SQL_injection ] attacks against the site. ------------VERSIONS AFFECTED------------ * Versions of Views for Drupal 6.x prior to 6.x-2.2 Drupal core is not affected. If you do not use the Views module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version. * If you use Views for Drupal 6.x upgrade to 6.x-2.2 [ http://drupal.org/node/347831 ] Also see the Views project page [ http://drupal.org/project/views ]. ------------REPORTED BY------------ * Peter Fisera (goatvirus [ http://drupal.org/user/360900 ]) * Mariano D'Agostino (dagmar [ http://drupal.org/user/154086 ]) ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |