SA-CORE-2009-001

Primary links

Advisory ID: DRUPAL-SA-CORE-2009-001
Project: Drupal core
Version: 5.x, 6.x
Date: 2009-January-14
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: SQL injection

A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it's possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

Drupal 4.7 is vulnerable to the same attack and should be patched.

SA-CORE-2009-001-4.7.7.patch

Featured Project

Open Green Map

Open Green Map is an interactive, multilingual platform where users can post and add features to maps of localities all over the world. Openflows is incorporating open source and Google Maps technology with social networking and other interactive features to create an ecological map publishing platform with a community feel.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.