• Advisory ID: DRUPAL-SA-2008-058
  • Project: Brilliant Gallery (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2008-September-25
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL injection


The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "access brilliant_gallery" permission to perform SQL Injection attacks. These attacks may lead to the malicious user gaining administrator access.

Versions Affected

  • All versions of Brilliant Gallery

Drupal core is not affected. If you do not use the Brilliant Gallery module, there is nothing you need to do.


There is no solution available. Please disable the module and remove it from your site.

The module has been removed from Drupal.org.

Reported by

  • The SQL injection vulnerability was reported by Justin Klein Keane (Justin_KleinKeane)


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.