- Advisory ID: DRUPAL-SA-CONTRIB-2014-075
- Project: Biblio Autocomplete (third-party module)
- Version: 6.x, 7.x
- Date: 2014-August-06
- Security risk: 23/25 (
Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Exploit/TD:100
- Vulnerability: Access bypass, SQL Injection
Description
This module provides functionality for AJAX based auto-completion of fields in the Biblio node type (provided by the Biblio module) using previously entered values and third party services.
The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user input as it is used in a database query.
Additionally, the AJAX autocompletion callback itself was not properly secured, thus potentially allowing any visitor access to the data, including the anonymous user.
CVE identifier(s) issued
- CVE-2014-5249: SQL Injection
- CVE-2014-5250: Access Bypass
Versions affected
Drupal core is not affected. If you do not use the contributed Biblio Autocomplete module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Biblio Autocomplete module for Drupal 6.x, upgrade to Biblio Autocomplete 6.x-1.1.
- If you use the Biblio Autocomplete module for Drupal 7.x, upgrade to Biblio Autocomplete 7.x-1.5.
Additionally there is a new permission "access biblio autocomplete" for accessing the search. You need to give this permission to users with write permissions on Biblio nodes.
Also see the Biblio Autocomplete project page.
Reported by
Fixed by
- Carsten Logemann
- Damien McKenna provisional member of the Drupal Security Team
Coordinated by
- David Stoline of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at href="http://drupal.org/contact">http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, href="http://drupal.org/writing-secure-code">writing secure code for Drupal, and href="http://drupal.org/security/secure-configuration">securing your site.
