- Advisory ID: DRUPAL-SA-2006-005
- Project: Drupal core
- Date: 2006-May-18
- Security risk: highly critical
- Impact: Drupal core
- Exploitable from: remote
- Vulnerability: SQL injection
Description
A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.
This problem represents a critical security vulnerability and should be patched or upgraded immediately.
Versions affected
- Drupal 4.6.6 and older.
- Drupal 4.7.0 and older.
Solution
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.
You can also patch Drupal. To patch Drupal 4.6.6 to 4.6.7, use this patch:
http://drupal.org/files/sa-2006-005/4.6.6.patch
To patch Drupal 4.7.0 to 4.7.1, use this patch:
http://drupal.org/files/sa-2006-005/4.7.0.patch
Reported by
Ayman Hourieh
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.