See: https://www.drupal.org/SA-CORE-2015-003
http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=731dfacab8bf39918c135...
A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.
This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.
Credit for the D6/D7 version of this patch (the security release):
csabot3, Crell, pwolanin, YesCT, ircmaxell, greggles
Comment | File | Size | Author |
---|---|---|---|
#6 | 2554229-6.patch | 4.01 KB | stefan.r |
#4 | 2554229-3.patch | 2.48 KB | stefan.r |
#2 | 2554229-1.patch | 2.48 KB | stefan.r |
Comments
Comment #2
stefan.r CreditAttribution: stefan.r commentedComment #4
stefan.r CreditAttribution: stefan.r commentedComment #6
stefan.r CreditAttribution: stefan.r commentedComment #7
larowlanThanks!
Comment #8
effulgentsia CreditAttribution: effulgentsia at Acquia commentedPatch looks great. Adding credit to larowlan for reviewing and webchick for reporting.
Comment #9
effulgentsia CreditAttribution: effulgentsia at Acquia commentedPushed to 8.0.x. Thanks!