[DRUPAL-SA-2006-005] Drupal 4.6.7 / 4.7.1 fixes SQL injection issue

2006-06-03T00:00:00
ID SECURITYVULNS:DOC:12965
Type securityvulns
Reporter Securityvulns
Modified 2006-06-03T00:00:00

Description


Drupal security advisory DRUPAL-SA-2006-005

Advisory ID: DRUPAL-SA-2006-005 Project: Drupal core Date: 2006-05-24 Security risk: highly critical Impact: Drupal core Where: from remote Vulnerability: SQL injection


Description

A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.

This problem represents a critical security vulnerability and should be patched or upgraded immediately.

Versions affected

All Drupal versions before 4.6.7 and 4.7.1.

Solution

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7. If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.

Contact

The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org