=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN362
_____________________________________________________________________

DATE                      : 19/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mailhandler for DRUPAL.

======================================================================
http://drupal.org/node/309769
______________________________________________________________________

SA-2008-050 - Mailhandler - SQL injection

Heine - September 17, 2008 - 16:31

     * Advisory ID: DRUPAL-SA-2008-050
     * Project: Mailhandler (third-party module)
     * Versions: 5.x and 6.x
     * Date: 2008-September-17
     * Security risk: Critical
     * Exploitable from: Remote
     * Vulnerability: SQL injection


Description

The Mailhandler module allows users to create or edit nodes and comments
via email. One vulnerability was found in the module.

SQL Injection
Mailhandler does not properly use the Drupal database API and inserts
values from mails directly into queries. This can be exploited to
perform SQL Injection attacks. These attacks may lead to a malicious
user gaining administrator access.


Versions Affected

     * Versions of Mailhandler for Drupal 5.x prior to 5.x-1.4
     * Versions of Mailhandler for Drupal 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the Mailhandler module,
there is nothing you need to do.


Solution

Install the latest version.

     * If you use Mailhandler for Drupal 5.x upgrade to Mailhandler
5.x-1.4
     * If you use Mailhandler for Drupal 6.x upgrade to Mailhandler
6.x-1.4

Also see the Mailhandler project page.


Reported by

     * The SQL injection vulnerability was reported by the module
maintainer Zohar Stolar.


Contact

The security contact for Drupal can be reached at security at drupal.org 
or via the form at http://drupal.org/contact and by selecting the
security issues category.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================