• Advisory ID: DRUPAL-SA-2007-003.
  • Project: Acidfree (third-party module).
  • Version: 4.6.x, 4.7.x
  • Date: 2007-Jan-23.
  • Security risk: Highly critical.
  • Exploitable from: Remote.
  • Vulnerability: SQL Injection.


Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access.

Versions affected

All versions before

  • Acidfree 4.6.x-1.0.
  • Acidfree 4.7.x-1.0.

Drupal core is not affected. If you do not use the contributed Acidfree module, there is nothing you need to do.


Install the latest version:

See also the Acidfree project page.

Reported by

Brett Yagel (yagel).


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.