- Advisory ID: DRUPAL-SA-2008-057
- Project: Ajax Checklist (third-party module)
- Versions: 5.x
- Date: 2008-September-24
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL injection, Cross site scripting
Description
The Ajax Checklist module implements a filter that allows a user to include checkboxes into content.
The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "update ajax checklists" permission to perform SQL Injection attacks. These attacks may lead to the malicious user gaining administrator access.
The module also displays certain values without appropriate filtering. Malicious users with the permission to create or edit posts and the ability to use an input format containing the ajax_checklist filter are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to a malicious user gaining administrator access.
Versions Affected
- Versions of Ajax Checklist for Drupal 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the Ajax Checklist module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Ajax Checklist for Drupal 5.x upgrade to Ajax Checklist 5.x-1.1
Also see the Ajax Checklist project page.
Reported by
- The SQL injection vulnerability was reported by Justin Klein Keane (Justin_KleinKeane)
- The cross site scripting vulnerability was reported by Heine Deelstra (Heine) of the Drupal security team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
