您在這裡

SQL injection vulnerability

Drupaler's 的頭像
Drupaler (未驗證) 在 2006-05-25 (四) 11:17 發表

------------SQL INJECTION VULNERABILITY------------

* Advisory ID: DRUPAL-SA-2006-005

* Project: Drupal core

* Date: 2006-May-18

* Security risk: highly critical

* Impact: Drupal core

* Exploitable from: remote

* Vulnerability: SQL injection

------------DESCRIPTION------------

A security vulnerability in the database layer allowed certain queries to be
submitted to the database without going through Drupal's query sanitizer.

This problem represents a critical security vulnerability and should be patched
or upgraded immediately.

------------VERSIONS AFFECTED------------

- Drupal 4.6.6 and older.
- Drupal 4.7.0 and older.

------------SOLUTION------------

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.

You can also patch Drupal. To patch Drupal 4.6.6 to 4.6.7, use this patch:

http://drupal.org/files/sa-2006-005/4.6.6.patch

To patch Drupal 4.7.0 to 4.7.1, use this patch:

http://drupal.org/files/sa-2006-005/4.7.0.patch

------------REPORTED BY------------

Ayman Hourieh

-----------------------------------
要是虛擬主機,沒法用patch,好像麻煩點。

直接改檔案,找到那一行改就好了

-的那行是要刪除的
+的那行是要加上去

--
from open mind to open source~