* Advisory ID: DRUPAL-SA-CONTRIB-2009-023 * Project: News Page * Versions: 5.x * Date: 2009-April-29 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: SQL injection
-------- DESCRIPTION ---------------------------------------------------------
The News Page module provides a node content type which displays feed items from an aggregator category, filtered by keywords entered into the 'Include Words' field of the node. Unfortunately the News Page module uses keywords directly in SQL queries without being sanitized, allowing SQL injection attacks [1] by malicious users who have access to create and edit News Page nodes. -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of News Page for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the News Page module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use News Page for Drupal 5.x upgrade to 5.x-1.2 [2]
Also see the News Page project page [3].
-------- REPORTED BY ---------------------------------------------------------
Robert Castelo (Robert Castelo [4])
-------- FIXED BY ------------------------------------------------------------
Robert Castelo (Robert Castelo [5])
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
[1] http://en.wikipedia.org/wiki/SQL_injection [2] http://drupal.org/node/448988 [3] http://drupal.org/project/news_page [4] http://drupal.org/user/3555 [5] http://drupal.org/user/3555