=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN558
_____________________________________________________________________

DATE                      : 08/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Storm Project for DRUPAL.

======================================================================
http://drupal.org/node/342246
______________________________________________________________________

- ------------SA-2008-072 - STORM PROJECT - SQL INJECTION------------

  * Advisory ID: DRUPAL-SA-2008-072

  * Project: Storm Project

  * Versions: 5.x and 6.x

  * Date: 2008-December-03

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: SQL injection

- ------------DESCRIPTION------------

Storm (SpeedTech Organization and Resource Manager) is a project management
application for Drupal.

Unfortunately the Storm module allows users with access to the storm projects
to enter input values which are then used directly in SQL queries without being
sanitized, enabling SQL injection attacks [
http://en.wikipedia.org/wiki/SQL_injection ] by malicious users.

- ------------VERSIONS AFFECTED------------

  * Versions of Storm for Drupal 5.x prior to 5.x-1.14

  * Versions of Storm for Drupal 6.x prior to 6.x-1.18

Drupal core is not affected. If you do not use the Storm module, there is
nothing you need to do.

- ------------SOLUTION------------

Install the latest version.

  * If you use Storm for Drupal 5.x upgrade to 5.x-1.14 [
http://drupal.org/node/342264 ]

  * If you use Storm for Drupal 6.x upgrade to 6.x-1.18 [
http://drupal.org/node/342263 ]

Also see the Storm project page [ http://drupal.org/project/storm ].

- ------------REPORTED BY------------

Jakub Suchy (meba [ http://drupal.org/user/31977 ])

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================