SA-2008-036 - Profile search - SQL Injection

Heine - June 18, 2008 - 15:15

Advisory ID: SA-2008-036
Project: Profile Search (third-party module)
Versions: 5.x
Date: 2008-July-18
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Description

The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL injection attacks. These attacks may lead to administrator access.

Versions affected

Profile search 5.x releases prior to 5.x-1.0.

Drupal core is not affected. If you do not use the contributed Profile search module, there is nothing you need to do.

Solution

Install the latest version:

If you currently use Profile search 5.x, upgrade to Profile search 5.x-1.0

See also the Profile search project page.

Reported by

This issue was reported by Larry Garfield (Crell), who has now taken over maintenance of the module.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-2008-036 - Profile search - SQL Injection

Description

Versions affected

Solution

Reported by

Contact

User login

Search downloads

Contributor links