• Advisory ID: DRUPAL-SA-2008-064
  • Project: Node Vote (third-party module)
  • Versions: 5.x and 6.x
  • Date: 2008-October-15
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL injection

Description

The Node Vote module allows authorized users to vote on certain types of nodes.

If the administrator has enabled the "Allow user to vote again" setting for the Node Vote module, malicious user can inject SQL when changing a previously cast vote. This is because Node Vote does not properly use the Drupal database API and inserts values from URLs directly into queries under these conditions. This can be exploited to perform SQL Injection attacks. These attacks may lead to a malicious user gaining administrator access.

Versions Affected

  • Versions of Node Vote for Drupal 5.x prior to 5.x-1.1
  • Versions of Node Vote for Drupal 6.x prior to 6.x-1.0

Drupal core is not affected. If you do not use the Node Vote module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use Node Vote for Drupal 5.x upgrade to 5.x-1.1
  • If you use Node Vote for Drupal 6.x upgrade to 6.x-1.0

Also see the Node Vote project page.

Reported by

Stéphane Corlosquet (scor) of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.