Date: Fri, 04 Nov 2011 11:49:16 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: CVE Request -- Drupal (v6.x based) Views module - SQL injection due improper escaping of database parameters for certain filters / arguments (SA-CONTRIB-2011-052) Hello Kurt, Steve, vendors, a SQL injection flaw was found in the way the views module for the Drupal (v6.x based), open-source content-management platform, performed sanitization of the database parameters for certain filters / arguments on certain types of views with specific configuration of arguments. A remote attacker could provide a specially-crafted SQL query, which once processed by the Drupal system instance could lead to arbitrary SQL commands execution. References:  http://drupal.org/node/1329898  http://drupal.org/node/1329846  https://bugzilla.redhat.com/show_bug.cgi?id=751325 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.