Fwd: [Security announcements] SA-2008-072 - Storm Project - SQL injection

------------SA-2008-072 - STORM PROJECT - SQL INJECTION------------

* Advisory ID: DRUPAL-SA-2008-072

* Project: Storm Project

* Versions: 5.x and 6.x

* Date: 2008-December-03

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: SQL injection


Storm (SpeedTech Organization and Resource Manager) is a project management
application for Drupal.

Unfortunately the Storm module allows users with access to the storm projects
to enter input values which are then used directly in SQL queries without being
sanitized, enabling SQL injection attacks [
http://en.wikipedia.org/wiki/SQL_injection ] by malicious users.

------------VERSIONS AFFECTED------------

* Versions of Storm for Drupal 5.x prior to 5.x-1.14

* Versions of Storm for Drupal 6.x prior to 6.x-1.18

Drupal core is not affected. If you do not use the Storm module, there is
nothing you need to do.


Install the latest version.

* If you use Storm for Drupal 5.x upgrade to 5.x-1.14 [
http://drupal.org/node/342264 ]

* If you use Storm for Drupal 6.x upgrade to 6.x-1.18 [
http://drupal.org/node/342263 ]

Also see the Storm project page [ http://drupal.org/project/storm ].

------------REPORTED BY------------

Jakub Suchy (meba [ http://drupal.org/user/31977 ])


The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues


Us - http://www.thosedewolfes.com/
Me - http://mike.dewolfe.bc.ca/
Blog - http://mikedewolfe.blogspot.com/
Tech - http://technicalmike.blogspot.com/
Sites - http://www.prefabsite.net/ - have a website in MINUTES