- Advisory ID: DRUPAL-SA-CONTRIB-2009-023
- Project: News Page
- Versions: 5.x
- Date: 2009-April-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: SQL injection
Description
The News Page module provides a node content type which displays feed items from an aggregator category, filtered by keywords entered into the 'Include Words' field of the node.
Unfortunately the News Page module uses keywords directly in SQL queries without being sanitized, allowing SQL injection attacks by malicious users who have access to create and edit News Page nodes.
Versions Affected
- Versions of News Page for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the News Page module, there is nothing you need to do.
Solution
Install the latest version.
- If you use News Page for Drupal 5.x upgrade to 5.x-1.2
Also see the News Page project page.
Reported by
Robert Castelo (Robert Castelo)
Fixed by
Robert Castelo (Robert Castelo)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
