• Advisory ID: DRUPAL-SA-2008-041
  • Project: Taxonomy autotagger (third-party module)
  • Version: 5.x
  • Date: 2008-July-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting and SQL injection

Description

The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post.

The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the permission to create or edit posts to perform SQL Injection attacks. These attacks may lead to the malicious user gaining administrator access.

The module also displays certain values without appropriate filtering. Malicious users with the permission to create or edit posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to a malicious user gaining administrator access.

Versions affected

  • Taxonomy Autotagger for Drupal 5.x prior to 5.x-1.8.

Drupal core is not affected. If you do not use the contributed Taxonomy Autotagger module, there is nothing you need to do.

Solution

Install the latest version:

See also the Taxonomy Autotagger project page.

Reported by

  • The SQL injection was reported by John Morahan.
  • The cross site scripting issue was reported by Heine Deelstra of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.