BID:22202

Drupal Acidfree Module Node Title SQL Injection Vulnerability

Info

Drupal Acidfree Module Node Title SQL Injection Vulnerability

Bugtraq ID:	22202
Class:	Input Validation Error
CVE:	CVE-2007-0507
Remote:	Yes
Local:	No
Published:	Jan 24 2007 12:00AM
Updated:	May 12 2015 07:35PM
Credit:	Brett Yagel is credited with the discovery of this vulnerability.
Vulnerable:	Drupal Acidfree Module 4.7 Drupal Acidfree Module 4.6

Not Vulnerable:	Drupal Acidfree Module 4.6 1-0 Drupal Acidfree Module 4.7.0 1.0

Discussion

Drupal Acidfree Module Node Title SQL Injection Vulnerability

Drupal Acidfree Module is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

This issue affects versions prior to 4.6.0-1.0 and 4.7.0-1.0.

Exploit / POC

Drupal Acidfree Module Node Title SQL Injection Vulnerability

Attackers can exploit this issue via a web client.

Solution / Fix

Drupal Acidfree Module Node Title SQL Injection Vulnerability

Solution:
The vendor has released versions 4.6.0.1-0 and 4.7.0.1-0 to address this issue. Please see the references for more information.

Drupal Acidfree Module 4.6

Drupal acidfree-4.6.x-1.0.tar.gz
http://ftp.osuosl.org/pub/drupal/files/projects/acidfree-4.6.x-1.0.tar .gz

Drupal Acidfree Module 4.7

Drupal acidfree-4.7.x-1.0.tar.gz
http://ftp.osuosl.org/pub/drupal/files/projects/acidfree-4.7.x-1.0.tar .gz

References

Drupal Acidfree Module Node Title SQL Injection Vulnerability

References:

Drupal Security Advisory DRUPAL-SA-2007-003 (Drupal)
Vendor Homepage (Drupal)