Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2006-029.
- Project: Help Tip (third-party module).
- Date: 2006-Dec-11.
- Security risk: highly critical.
- Exploitable from: remote.
- Vulnerability: SQL Injection, Cross site scripting.
Description
The contributed module Help Tip bypasses Drupal's database API and uses user-supplied data unescaped in queries, allowing malicious users to execute SQL injection attacks. These attacks may lead to administrator access.
Node titles are not properly sanitised before being used in block titles. This can be exploited to insert and execute arbitrary HTML and script code in a user's browser session in the context of an affected site. This may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia.
Versions affected
All Help Tip versions prior to 4.7.x-1.0.
Drupal core is not affected. If you do not use the contributed Help Tip module, there is nothing you need to do.
Solution
Install the latest version:
See also the Help Tip project page.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
