• Advisory ID: DRUPAL-SA-2008-061
  • Project: EveryBlog (third-party module)
  • Versions: 5.x and 6.x
  • Date: 2008-October-08
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability:SQL injection, Cross-site scripting (XSS), Privilege escalation, access bypass

Description

The module does not follow Drupal best practices for database queries and handling of user submitted data, leading to a number of vulnerabilities. Of special concern is that an unprivileged user may become logged in to the account of an existing user, including an administrator.

Versions Affected

  • All versions of EveryBlog

Drupal core is not affected. If you do not use the EveryBlog module, there is nothing you need to do.

Solution

Please disable the module and remove it from your site.

All affected releases of this module have been removed from Drupal.org.

Reported by

  • The privilege escalation was reported by Dan Hassel
  • The SQL injection, XSS and access bypass were reported by members of the Drupal security team

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.