Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-2008-061
- Project: EveryBlog (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-October-08
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability:SQL injection, Cross-site scripting (XSS), Privilege escalation, access bypass
The module does not follow Drupal best practices for database queries and handling of user submitted data, leading to a number of vulnerabilities. Of special concern is that an unprivileged user may become logged in to the account of an existing user, including an administrator.
- All versions of EveryBlog
Drupal core is not affected. If you do not use the EveryBlog module, there is nothing you need to do.
Please disable the module and remove it from your site.
All affected releases of this module have been removed from Drupal.org.
- The privilege escalation was reported by Dan Hassel
- The SQL injection, XSS and access bypass were reported by members of the Drupal security team
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.