Drupal Search Autocomplete Module Database API SQL Injection Vulnerability

Bugtraq ID:	51667
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 25 2012 12:00AM
Updated:	Jan 25 2012 12:00AM
Credit:	Miguel Hermo (serans)
Vulnerable:	Drupal Search Autocomplete 7.x-2.0
Not Vulnerable:	Drupal Search Autocomplete 7.x-2.1

Drupal Search Autocomplete Module Database API SQL Injection Vulnerability

Search Autocomplete module for Drupal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Drupal Search Autocomplete 7.x-2.1 are vulnerable.

Drupal Search Autocomplete Module Database API SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

Drupal Search Autocomplete Module Database API SQL Injection Vulnerability

Solution:
Updates are available. Please see the references for more details.

Drupal Search Autocomplete Module Database API SQL Injection Vulnerability

References:

• Drupal Homepage (Drupal)
  
• search_autocomplete 7.x-2.1 Homepage (Drupal)
  
• SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection (Drupal)