* Advisory ID: DRUPAL-SA-CONTRIB-2011-009 * Project: Droptor (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection
-------- DESCRIPTION ---------------------------------------------------------
The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attack [1]. This vulnerability is mitigated by the fact that memory monitoring must be enabled, which is not the default configuration.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Droptor module for Drupal 6.x before version 6.x-2.8
Only sites that have "memory monitoring" enabled in their Droptor settings page are affected. The Drupal 7 version of this module is not affected. Drupal core is not affected. If you do not use the contributed Droptor [2] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Droptor module for Drupal 6.x before version 6.x-2.8 upgrade to Droptor 6.x-2.8 [3].
See also the Droptor project page [4].
-------- REPORTED BY ---------------------------------------------------------
* Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team
-------- FIXED BY ------------------------------------------------------------
* Justin Emond (jemond [7]), module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10].
[1] http://en.wikipedia.org/wiki/Sql_injection [2] http://drupal.org/project/droptor [3] http://drupal.org/node/1049098 [4] http://drupal.org/project/droptor [5] http://drupal.org/user/17943 [6] http://drupal.org/user/ [7] http://drupal.org/user/186334 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact