Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] SA-CONTRIB-2011-009 - Droptor - SQL Injection

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] SA-CONTRIB-2011-009 - Droptor - SQL Injection


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2011-009 - Droptor - SQL Injection
  • Date: Wed, 2 Feb 2011 21:21:29 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2011-009
* Project: Droptor (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: SQL Injection

-------- DESCRIPTION
---------------------------------------------------------

The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring
and management solution. When capturing memory logging information the module
does not filter the value input from the current page request variable. This
vulnerability can be exploited to perform an SQL Injection attack [1]. This
vulnerability is mitigated by the fact that memory monitoring must be
enabled, which is not the default configuration.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Droptor module for Drupal 6.x before version 6.x-2.8

Only sites that have "memory monitoring" enabled in their Droptor settings
page are affected. The Drupal 7 version of this module is not affected.
Drupal core is not affected. If you do not use the contributed Droptor [2]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the Droptor module for Drupal 6.x before version 6.x-2.8
upgrade to Droptor 6.x-2.8 [3].

See also the Droptor project page [4].

-------- REPORTED BY
---------------------------------------------------------

* Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team

-------- FIXED BY
------------------------------------------------------------

* Justin Emond (jemond [7]), module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [8] can be reached at security at drupal.org [9] or
via the form at http://drupal.org/contact [10].


[1] http://en.wikipedia.org/wiki/Sql_injection
[2] http://drupal.org/project/droptor
[3] http://drupal.org/node/1049098
[4] http://drupal.org/project/droptor
[5] http://drupal.org/user/17943
[6] http://drupal.org/user/
[7] http://drupal.org/user/186334
[8] http://drupal.org/security-team
[9] http://drupal.org
[10] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecNots] [Security-news] SA-CONTRIB-2011-009 - Droptor - SQL Injection, security-news, 02.02.2011

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang