Description

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability.

Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search.

Only sites that use contrib or custom modules which rely on the db_like() function may be affected.

CVE identifier(s) issued

  • CVE-2015-7876

Versions affected

  • Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal 7 driver for SQL Server and SQL Azure module, there is nothing you need to do.

Solution

Install the latest version:

Although a 7.x-1.4 version has been released the 7.x-1.x branch is currently unsupported and not maintained.

Also see the Drupal 7 driver for SQL Server and SQL Azure project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity