Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability.

Certain characters aren’t properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search.

Only sites that use contrib or custom modules which rely on the db_like() function may be affected.

CVE identifier(s) issued

• CVE-2015-7876

Versions affected

• Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal 7 driver for SQL Server and SQL Azure module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Drupal 7 driver for SQL Server and SQL Azure module for Drupal 7.x-1.x, you can upgrade to Drupal 7 driver for SQL Server and SQL Azure 7.x-1.4
• If you use the Drupal 7 driver for SQL Server and SQL Azure module for Drupal 7.x-2.x, you can upgrade to Drupal 7 driver for SQL Server and SQL Azure 7.x-2.0

Although a 7.x-1.4 version has been released the 7.x-1.x branch is currently unsupported and not maintained.

Also see the Drupal 7 driver for SQL Server and SQL Azure project page.

Reported by

• Fabio Epifani

Fixed by

• David Garcia the module maintainer
• Fabio Epifani

Coordinated by

• Pere Orga of the Drupal Security Team
• Michael Hess of the Drupal Security Team