- Advisory ID: DRUPAL-SA-CONTRIB-2011-048
- Project: Certificate Login (third-party module)
- Version: 5.x, 6.x
- Date: 2011-October-12
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
Description
The Certificate login module provides client certificate authentication of Drupal users. The authentication is based on the client certificate's data fields, which are then used as the user name for authentication. The obtained data isn't properly sanitized using Drupal's database API, which may cause an SQL injection vulnerability depending on the module settings.
Versions affected
- Certificate Login versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed Certificate Login module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Certificate Login module for Drupal 6.x, upgrade to Certificate Login 6.x-2.3.
Note: all Drupal 5.x modules are not supported, including the Certificate Login module for 5.x. If you use Drupal 5.x you should upgrade now.
See also the Certificate Login project page.
Reported by
Fixed by
- Jyri-Petteri ”ZeiP” Paloposki, a module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.