Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By chx on
- Advisory ID: DRUPAL-SA-2005-005
- Project: flexinode
- Date: 2005-Oct-03
- Security risk: highly critical
- Impact: flexinode module
- Exploitable from: remote
- Vulnerability: SQL injection and PHP execution by bypassing input format check
Description
Wolfgang Ziegler has discovered multiple security vulnerabilities in the contributed flexinode module.
Versions affected
Please check the CVS $Id$ fields in the following files to determine whether the version of the flexinode module you are running is vulnerable.
All versions older than the following are vulnerable:
4.5 branch:
- field_checkbox.inc:// $Id: field_checkbox.inc,v 1.7.2.1 2005/09/23 01:55:07 killes Exp $
- field_select.inc:// $Id: field_select.inc,v 1.9.2.1 2005/09/23 01:55:07 killes Exp $
- field_textarea.inc:// $Id: field_textarea.inc,v 1.8.2.3 2005/09/23 02:03:02 killes Exp $
4.6 branch:
- field_checkbox.inc:// $Id: field_checkbox.inc,v 1.7.4.1 2005/09/22 21:28:40 chx Exp $
- field_select.inc:// $Id: field_select.inc,v 1.9.4.1 2005/09/22 21:28:40 chx Exp $
- field_textarea.inc:// $Id: field_textarea.inc,v 1.10.2.2 2005/09/22 19:37:56 chx Exp $
HEAD branch:
- field_checkbox.inc:// $Id: field_checkbox.inc,v 1.8 2005/09/23 04:28:06 chx Exp $
- field_select.inc:// $Id: field_select.inc,v 1.10 2005/09/23 04:28:06 chx Exp $
- field_textarea.inc:// $Id: field_textarea.inc,v 1.12 2005/09/23 04:28:06 chx Exp $
Solution
Drupal core is not affected. If you do not use the flexinode module there is nothing you need to do. If you do use flexinode, upgrade to the latest version of the flexinode module for your Drupal version:
Contact
The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact.
