Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By scor on
- Advisory ID: DRUPAL-SA-2008-071
- Project: User Karma
- Versions: 5.x and 6.x
- Date: 2008-November-26
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: SQL injection, Cross-site scripting (XSS)
Description
The User Karma module displays and manages karma points of users. How karma points are calculated is defined by other modules which hook into the User Karma module.
Unfortunately the User Karma module allows administrators to enter a list of content types and voting API values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks by malicious users. The module also contains a cross site scripting attack (XSS) vulnerability as some messages are displayed without being sanitized.
Versions Affected
- Versions of User Karma for Drupal 5.x prior to 5.x-1.13
- Versions of User Karma for Drupal 6.x prior to 6.x-1.0-beta1
Drupal core is not affected. If you do not use the User Karma module, there is nothing you need to do.
Solution
Install the latest version.
- If you use User Karma for Drupal 5.x upgrade to 5.x-1.13
- If you use User Karma for Drupal 6.x upgrade to 6.x-1.0-beta1
Also see the User Karma project page.
Reported by
Stéphane Corlosquet (scor) of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
