Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-058
- Project: Brilliant Gallery (third-party module)
- Versions: 5.x, 6.x
- Date: 2008-September-25
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: SQL injection
Description
The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "access brilliant_gallery" permission to perform SQL Injection attacks. These attacks may lead to the malicious user gaining administrator access.
Versions Affected
- All versions of Brilliant Gallery
Drupal core is not affected. If you do not use the Brilliant Gallery module, there is nothing you need to do.
Solution
There is no solution available. Please disable the module and remove it from your site.
The module has been removed from Drupal.org.
Reported by
- The SQL injection vulnerability was reported by Justin Klein Keane (Justin_KleinKeane)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
