* Advisory ID: DRUPAL-SA-CONTRIB-2009-110 * Project: Taxonomy Timer (third-party module) * Version: 5.x, 6.x * Date: 2009-November-25 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection

-------- DESCRIPTION ---------------------------------------------------------

The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection [1] vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------

* Taxonomy Timer module 5.x-1.8 and prior versions * Taxonomy Timer module 6.x-alpha1 and prior versions

Drupal core is not affected. If you do not use the contributed Taxonomy Timer module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Install the latest version: * If you use the Taxonomy Timer module for Drupal 5.x upgrade to Taxonomy Timer module 5.x-1.9 [2] * If you use the Taxonomy Timer module for Drupal 6.x upgrade to Taxonomy Timer module 6.x-1.0-rc1 [3]

See also the Taxonomy Timer [4] project page. -------- REPORTED BY ---------------------------------------------------------

* Dylan Wilder-Tack [5]

-------- FIXED BY ------------------------------------------------------------

* Suydam [6], the module maintainer.

-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://drupal.org/node/641050 [3] http://drupal.org/node/641064 [4] http://drupal.org/project/taxonomy_timer [5] http://drupal.org/user/96647 [6] http://drupal.org/user/50195