- Advisory ID: DRUPAL-SA-CONTRIB-2009-110
- Project: Taxonomy Timer (third-party module)
- Version: 5.x, 6.x
- Date: 2009-November-25
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
Description
The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
Versions affected
- Taxonomy Timer module 5.x-1.8 and prior versions
- Taxonomy Timer module 6.x-alpha1 and prior versions
Drupal core is not affected. If you do not use the contributed Taxonomy Timer module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Taxonomy Timer module for Drupal 5.x upgrade to Taxonomy Timer module 5.x-1.9
- If you use the Taxonomy Timer module for Drupal 6.x upgrade to Taxonomy Timer module 6.x-1.0-rc1
See also the Taxonomy Timer project page.
Reported by
Fixed by
- Suydam, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.