Wednesday, December 17, 2008

[Security announcements] SA-2008-075 - Views - SQL Injection

------------SA-2008-075 - VIEWS - SQL INJECTION------------

* Advisory ID: DRUPAL-SA-2008-075

* Project: Views

* Versions: 6.x

* Date: 2008-December-16

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: SQL injection


The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented.

When using an exposed filter on CCK [ ] text
fields with allowed values, Views does not filter the data correctly. This may
allow malicious users to conduct SQL injection [ ] attacks against the site.

------------VERSIONS AFFECTED------------

* Versions of Views for Drupal 6.x prior to 6.x-2.2

Drupal core is not affected. If you do not use the Views module, there is
nothing you need to do.


Install the latest version.

* If you use Views for Drupal 6.x upgrade to 6.x-2.2 [ ]

Also see the Views project page [ ].

------------REPORTED BY------------

* Peter Fisera (goatvirus [ ])

* Mariano D'Agostino (dagmar [ ])


The security contact for Drupal can be reached at security at or via
the form at [ ] and by selecting the security issues

Unsubscribe from this newsletter:

No comments: