SA-2008-072 - Storm Project - SQL injection

By killes@www.drop.org on 3 Dec 2008 at 17:50 UTC

Advisory ID: DRUPAL-SA-2008-072
Project: Storm Project
Versions: 5.x and 6.x
Date: 2008-December-03
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: SQL injection

Description

Storm (SpeedTech Organization and Resource Manager) is a project management application for Drupal.

Unfortunately the Storm module allows users with access to the storm projects to enter input values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks by malicious users.

Versions Affected

Versions of Storm for Drupal 5.x prior to 5.x-1.14
Versions of Storm for Drupal 6.x prior to 6.x-1.18

Drupal core is not affected. If you do not use the Storm module, there is nothing you need to do.

Solution

Install the latest version.

If you use Storm for Drupal 5.x upgrade to 5.x-1.14
If you use Storm for Drupal 6.x upgrade to 6.x-1.18

Also see the Storm project page.

Reported by

Jakub Suchy (meba)

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.

SA-2008-072 - Storm Project - SQL injection

Description

Versions Affected

Solution

Reported by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community