Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request -- Drupal (v6.x based) Views module - SQL injection due improper escaping of database parameters for certain filters / arguments (SA-CONTRIB-2011-052)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 04 Nov 2011 11:49:16 +0100

Hello Kurt, Steve, vendors,

  a SQL injection flaw was found in the way the views module for the
Drupal (v6.x based), open-source content-management platform, performed
sanitization of the database parameters for certain filters / arguments
on certain types of views with specific configuration of arguments. A
remote attacker could provide a specially-crafted SQL query, which once
processed by the Drupal system instance could lead to arbitrary SQL
commands execution.

[1] http://drupal.org/node/1329898
[2] http://drupal.org/node/1329846
[3] https://bugzilla.redhat.com/show_bug.cgi?id=751325

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]