Primary links
- Advisory ID: DRUPAL-SA-2007-031
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-December-05
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.
The official announcement for Drupal 4.7 and 5.x is here, and the official patch for Drupal 4.7 is here.
Considerations for Drupal 4.6
The same vulnerability in taxonomy_select_nodes() exists for Drupal 4.6, and therefore Drupal 4.6 must be secured against this vulnerability. One way to do this is to ensure that no modules, templates, or nodes with the PHP input type are using the function taxonomy_select_nodes(), such as taxonomy_menu.module or weblink.module. If this is done, the site will be secure.
We at Openflows are now only maintaining a handful of Drupal 4.6 sites, and none require the functionality of contributed modules which call taxonomy_select_nodes(). Therefore, we have not prepared a patch for this vulnerability. We encourage you to either prepare a patch yourself, or disable any modules using this function.
