[Security-news] SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection
security-news at drupal.org
security-news at drupal.org
Wed Sep 8 17:26:22 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-090
* Project: Yr Weatherdata (third-party module)
* Version: 6.x
* Date: 2010-September-08
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
The Yr Weatherdata module displays weather forecasts, and enables users with
the proper permission to set the sort method. When setting the sorting method
the module does not filter the value input by the user correctly. This
vulnerability can be exploited to perform an SQL Injection attack [1].
-------- VERSIONS AFFECTED
---------------------------------------------------
* Yr Weatherdata module for Drupal 6.x before version 6.x-1.6
Drupal core is not affected. If you do not use the contributed Yr Weatherdata
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Yr Weatherdata module for Drupal 6.x before version 6.x-1.6
upgrade to Yr Weatherdata 6.x-1.6 [3] or later, preferably the current Yr
Weatherdata 6.x-1.10 [4]
See also the Yr Weatherdata project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Fredrik Kilander (tjodolv [6]), module maintainer
-------- FIXED BY
------------------------------------------------------------
* Fredrik Kilander (tjodolv [7]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Sql_injection
[2] http://drupal.org/project/yr_verdata
[3] http://drupal.org/node/606290
[4] http://drupal.org/node/824368
[5] http://drupal.org/project/yr_verdata
[6] http://drupal.org/user/196733
[7] http://drupal.org/user/196733
[8] http://drupal.org/security-team
More information about the Security-news
mailing list