Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
BID:30067
Info
Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 30067 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3091 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 02 2008 12:00AM |
| Updated: | May 07 2015 05:27PM |
| Credit: | John Morahan and Heine Deelstra |
| Vulnerable: |
Drupal Taxonomy Autotagger 5.x-1.7 |
| Not Vulnerable: |
Drupal Taxonomy Autotagger 5.x-1.8 |
Discussion
Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
The Taxonomy Autotagger module for the Drupal CMS is prone to an SQL-injection issue and an HTML-injection issue.
The SQL-injection vulnerability occurs because the software fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The HTML-injection vulnerability occurs because the sofware fails to properly sanitize posts by users before returning them to the browser. Exploiting this issue could allow the attacker to inject hostile HTML and script code into vulnerable sections of the application. When viewed, this code may be rendered in the browser of a user visiting the affected site in the context of that site.
Versions prior to Taxonomy Autotagger 5.x-1.8 are vulnerable.
The Taxonomy Autotagger module for the Drupal CMS is prone to an SQL-injection issue and an HTML-injection issue.
The SQL-injection vulnerability occurs because the software fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The HTML-injection vulnerability occurs because the sofware fails to properly sanitize posts by users before returning them to the browser. Exploiting this issue could allow the attacker to inject hostile HTML and script code into vulnerable sections of the application. When viewed, this code may be rendered in the browser of a user visiting the affected site in the context of that site.
Versions prior to Taxonomy Autotagger 5.x-1.8 are vulnerable.
Exploit / POC
Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
Solution:
The vendor has released an update. Please see the references for more information.
Solution:
The vendor has released an update. Please see the references for more information.
References
Drupal Taxonomy Autotagger Module Multiple Input Validation Vulnerabilities
References:
References: