oss-sec mailing list archives
CVE Request -- Drupal (v6.x based) Views module - SQL injection due improper escaping of database parameters for certain filters / arguments (SA-CONTRIB-2011-052)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 04 Nov 2011 11:49:16 +0100
Hello Kurt, Steve, vendors, a SQL injection flaw was found in the way the views module for the Drupal (v6.x based), open-source content-management platform, performed sanitization of the database parameters for certain filters / arguments on certain types of views with specific configuration of arguments. A remote attacker could provide a specially-crafted SQL query, which once processed by the Drupal system instance could lead to arbitrary SQL commands execution. References: [1] http://drupal.org/node/1329898 [2] http://drupal.org/node/1329846 [3] https://bugzilla.redhat.com/show_bug.cgi?id=751325 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Drupal (v6.x based) Views module - SQL injection due improper escaping of database parameters for certain filters / arguments (SA-CONTRIB-2011-052) Jan Lieskovsky (Nov 04)