[Security-news] SA-CONTRIB-2011-009 - Droptor - SQL Injection

security-news at drupal.org security-news at drupal.org
Wed Feb 2 21:21:29 UTC 2011


  * Advisory ID: DRUPAL-SA-CONTRIB-2011-009
  * Project: Droptor (third-party module)
  * Version: 6.x
  * Date: 2011-February-02
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: SQL Injection

-------- DESCRIPTION  
---------------------------------------------------------

The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring
and management solution. When capturing memory logging information the module
does not filter the value input from the current page request variable. This
vulnerability can be exploited to perform an SQL Injection attack [1]. This
vulnerability is mitigated by the fact that memory monitoring must be
enabled, which is not the default configuration.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Droptor module for Drupal 6.x before version 6.x-2.8

Only sites that have "memory monitoring" enabled in their Droptor settings
page are affected. The Drupal 7 version of this module is not affected.
Drupal core is not affected. If you do not use the contributed Droptor [2]
module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Droptor module for Drupal 6.x before version 6.x-2.8
    upgrade to Droptor 6.x-2.8 [3].

See also the Droptor project page [4].

-------- REPORTED BY  
---------------------------------------------------------

  * Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team

-------- FIXED BY  
------------------------------------------------------------

  * Justin Emond (jemond [7]), module maintainer

-------- CONTACT  
-------------------------------------------------------------

The Drupal security team [8] can be reached at security at drupal.org [9] or
via the form at http://drupal.org/contact [10].


[1] http://en.wikipedia.org/wiki/Sql_injection
[2] http://drupal.org/project/droptor
[3] http://drupal.org/node/1049098
[4] http://drupal.org/project/droptor
[5] http://drupal.org/user/17943
[6] http://drupal.org/user/
[7] http://drupal.org/user/186334
[8] http://drupal.org/security-team
[9] http://drupal.org
[10] http://drupal.org/contact



More information about the Security-news mailing list