SA-2008-075 - Views - SQL Injection

By Drupal Security Team on 17 Dec 2008 at 19:14 UTC

Advisory ID: DRUPAL-SA-2008-075
Project: Views
Versions: 6.x
Date: 2008-December-16
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: SQL injection

Description

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented.

When using an exposed filter on CCK text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection attacks against the site.

Versions Affected

Versions of Views for Drupal 6.x prior to 6.x-2.2

Drupal core is not affected. If you do not use the Views module, there is nothing you need to do.

Solution

Install the latest version.

If you use Views for Drupal 6.x upgrade to 6.x-2.2

Also see the Views project page.

Reported by

Peter Fisera (goatvirus)
Mariano D'Agostino (dagmar)

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.

SA-2008-075 - Views - SQL Injection

Description

Versions Affected

Solution

Reported by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community