• Advisory ID: DRUPAL-SA-CONTRIB-2009-053
  • Project: Ajax Table (third-party module)
  • Version: 5.x
  • Date: 2009-Aug-26
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters.

Access bypass

The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues.

Cross site scripting

The module doesn't escape certain user supplied values. Malicious users can use this to insert arbitrary HTML and script content into pages. Such a cross site scripting attack may even lead to the malicious user gaining administrator access.

Versions affected

  • Ajax Table for Drupal 5.x

Drupal core is not affected. If you do not use the contributed Ajax Table module, there is nothing you need to do.

Solution

There is no solution available. Please disable the module and remove it from your server.

Reported by

Franz Heinzmann

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.