=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN489
_____________________________________________________________________

DATE                      : 06/12/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Drupal versions 4.7.x, 5.x.

======================================================================
http://drupal.org/node/198162
______________________________________________________________________

SA-2007-031 - Drupal core - SQL Injection possible when certain 
contributed modules are enabled

Heine - December 5, 2007 - 20:38

     * Advisory ID: DRUPAL-SA-2007-031
     * Project: Drupal core
     * Version: 4.7.x, 5.x
     * Date: 2007-December-05
     * Security risk: Moderately critical
     * Exploitable from: Remote
     * Vulnerability: SQL Injection

Description

The function taxonomy_select_nodes() directly injects variables into SQL
queries instead of using placeholders. While taxonomy module itself
validates the input passed to taxonomy_select_nodes(), this is a
weakness in Drupal core. Several contributed modules, such as
taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to
taxonomy_select_nodes(), enabling SQL injection attacks by anonymous
users.

To learn more about SQL injection, please read this article.
Versions affected

     * Drupal 4.7.x before Drupal 4.7.9
     * Drupal 5.x before Drupal 5.4

Solution

Install the latest version:

     * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.9.
     * If you are running Drupal 5.x then upgrade to Drupal 5.4.

If you are unable to upgrade immediately, you can apply a patch to 
secure your installation until you are able to do a proper upgrade.

     * To patch Drupal 4.7.8 use SA-2007-031-4.7.8.patch.
     * To patch Drupal 5.3 use SA-2007-031-5.3.patch.

Reported by

     * Nadid Skywalker
     * Ivan Sergio Borgonovo

Contact

The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.


======================================================================

           =========================================================
           Les serveurs de re'fe'rence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================