- Advisory ID: DRUPAL-SA-2006-027
- Project: Extended Tracker (xtracker) 4.7
- Date: 2006-Oct-26
- Security risk: highly critical
- Exploitable from: remote
- Vulnerability: SQL injection
Description
The contributed module Extended Tracker (xtracker) accepts parameters from URLs and uses those unescaped in SQL queries, allowing malicious users to execute SQL injection attacks. This may result in them gaining administrator privileges.
Versions affected
Please check the CVS $Id$ fields in the file xtracker.module to determine whether the version you are running is vulnerable. Versions older than the following (or lacking an ID) are vulnerable:
- $Id: xtracker.module,v 1.5.2.1 2006/10/24 18:47:41 kbahey Exp $
Version 4.6 of the xtracker module is not vulnerable. Drupal core is not affected. If you do not use the contributed xtracker module, there is nothing you need to do.
Solution
Install the latest version:
See also the Extended Tracker project page.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
