Ravens PHP Scripts

Drupal Extended Tracker Module SQL Injection
Date: Thursday, October 26, 2006 @ 09:55:29 PDT
Topic: Security


SECUNIA ADVISORY ID: SA22566

VERIFY ADVISORY: http://secunia.com/advisories/22566/

CRITICAL: Less critical

IMPACT: Manipulation of data

WHERE: >From remote

SOFTWARE: Drupal Extended Tracker Module 4.x - http://secunia.com/product/12431/

DESCRIPTION: A vulnerability has been reported in the Extended Tracker module for Drupal, which can be exploited by malicious users to conduct SQL injection attacks.


Input passed to unspecified parameters via the URL is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is reported in version 4.7 prior to revision 1.5.2.1.

SOLUTION: Update to the latest version of 4.7.

PROVIDED AND/OR DISCOVERED BY: The Drupal Security Team.

ORIGINAL ADVISORY: http://drupal.org/node/91358






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2475