Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4EB3C32C.6080201@redhat.com>
Date: Fri, 04 Nov 2011 11:49:16 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: CVE Request -- Drupal (v6.x based) Views module - SQL injection due
 improper escaping of database parameters for certain filters / arguments
 (SA-CONTRIB-2011-052)

Hello Kurt, Steve, vendors,

   a SQL injection flaw was found in the way the views module for the
Drupal (v6.x based), open-source content-management platform, performed
sanitization of the database parameters for certain filters / arguments
on certain types of views with specific configuration of arguments. A
remote attacker could provide a specially-crafted SQL query, which once
processed by the Drupal system instance could lead to arbitrary SQL
commands execution.

References:
[1] http://drupal.org/node/1329898
[2] http://drupal.org/node/1329846
[3] https://bugzilla.redhat.com/show_bug.cgi?id=751325

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.