Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection
  • Date: Wed, 8 Sep 2010 17:26:22 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2010-090
* Project: Yr Weatherdata (third-party module)
* Version: 6.x
* Date: 2010-September-08
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: SQL Injection

-------- DESCRIPTION
---------------------------------------------------------

The Yr Weatherdata module displays weather forecasts, and enables users with
the proper permission to set the sort method. When setting the sorting method
the module does not filter the value input by the user correctly. This
vulnerability can be exploited to perform an SQL Injection attack [1].
-------- VERSIONS AFFECTED
---------------------------------------------------

* Yr Weatherdata module for Drupal 6.x before version 6.x-1.6

Drupal core is not affected. If you do not use the contributed Yr Weatherdata
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the Yr Weatherdata module for Drupal 6.x before version 6.x-1.6
upgrade to Yr Weatherdata 6.x-1.6 [3] or later, preferably the current Yr
Weatherdata 6.x-1.10 [4]

See also the Yr Weatherdata project page [5].
-------- REPORTED BY
---------------------------------------------------------

* Fredrik Kilander (tjodolv [6]), module maintainer

-------- FIXED BY
------------------------------------------------------------

* Fredrik Kilander (tjodolv [7]), module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Sql_injection
[2] http://drupal.org/project/yr_verdata
[3] http://drupal.org/node/606290
[4] http://drupal.org/node/824368
[5] http://drupal.org/project/yr_verdata
[6] http://drupal.org/user/196733
[7] http://drupal.org/user/196733
[8] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection, security-news, 08.09.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang