[Security-news] SA-CONTRIB-2009-023 - News Page - SQL injection
security-news at drupal.org
security-news at drupal.org
Wed Apr 29 21:59:52 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-023
* Project: News Page
* Versions: 5.x
* Date: 2009-April-29
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: SQL injection
-------- DESCRIPTION
---------------------------------------------------------
The News Page module provides a node content type which displays feed items
from an aggregator category, filtered by keywords entered into the 'Include
Words' field of the node. Unfortunately the News Page module uses keywords
directly in SQL queries without being sanitized, allowing SQL injection
attacks [1] by malicious users who have access to create and edit News Page
nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of News Page for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the News Page module, there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use News Page for Drupal 5.x upgrade to 5.x-1.2 [2]
Also see the News Page project page [3].
-------- REPORTED BY
---------------------------------------------------------
Robert Castelo (Robert Castelo [4])
-------- FIXED BY
------------------------------------------------------------
Robert Castelo (Robert Castelo [5])
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact and by selecting the security
issues category.
[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://drupal.org/node/448988
[3] http://drupal.org/project/news_page
[4] http://drupal.org/user/3555
[5] http://drupal.org/user/3555
More information about the Security-news
mailing list