• Advisory ID: DRUPAL-SA-2007-031
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-December-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection


The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.

To learn more about SQL injection, please read this article.

Versions affected

  • Drupal 4.7.x before Drupal 4.7.9
  • Drupal 5.x before Drupal 5.4


Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.9.
  • If you are running Drupal 5.x then upgrade to Drupal 5.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

  • Nadid Skywalker
  • Ivan Sergio Borgonovo


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.