Drupal Association members fund grants that make connections all over the world.
- Advisory ID: SA-2008-031
- Project: Pblog (third-party module)
- Versions: none
- Date: 2008-June-11
- Security risk: Not critical
- Exploitable from: Remote
- Subject: Incorrect vulnerability report
Several 'security'-related sources claim - with SecurityFocus as source (http://www.securityfocus.com/bid/29495/info) - that the third-party Drupal module Pblog is vulnerable to SQL injection attacks. The Drupal security team has investigated the matter and concluded that these sources confuse the Drupal module Pblog and the blogging platform Life Type (http://lifetype.net/ , formerly plog).
The Life Type team assured us that the 3 year old vulnerable version of plog 1.0.x has been surpassed by later versions which do not contain this vulnerability.
While we have not received any response from SecurityFocus, we hope corrections to their announcement will be made shortly.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.