• Advisory ID: DRUPAL-SA-CONTRIB-2011-009
  • Project: Droptor (third-party module)
  • Version: 6.x
  • Date: 2011-February-02
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection

Description

The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attack. This vulnerability is mitigated by the fact that memory monitoring must be enabled, which is not the default configuration.

Versions affected

  • Droptor module for Drupal 6.x before version 6.x-2.8

Only sites that have "memory monitoring" enabled in their Droptor settings page are affected. The Drupal 7 version of this module is not affected. Drupal core is not affected. If you do not use the contributed Droptor module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Droptor module for Drupal 6.x before version 6.x-2.8 upgrade to Droptor 6.x-2.8.

See also the Droptor project page.

Reported by

Fixed by

  • Justin Emond (jemond), module maintainer

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.