SQL injection vulnerability

------------SQL INJECTION VULNERABILITY------------

* Advisory ID: DRUPAL-SA-2006-005

* Project: Drupal core

* Date: 2006-May-18

* Security risk: highly critical

* Impact: Drupal core

* Exploitable from: remote

* Vulnerability: SQL injection

------------DESCRIPTION------------

A security vulnerability in the database layer allowed certain queries to be
submitted to the database without going through Drupal's query sanitizer.

This problem represents a critical security vulnerability and should be patched
or upgraded immediately.

------------VERSIONS AFFECTED------------

- Drupal 4.6.6 and older.
- Drupal 4.7.0 and older.

------------SOLUTION------------

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.

You can also patch Drupal. To patch Drupal 4.6.6 to 4.6.7, use this patch:

http://drupal.org/files/sa-2006-005/4.6.6.patch

To patch Drupal 4.7.0 to 4.7.1, use this patch:

http://drupal.org/files/sa-2006-005/4.7.0.patch

------------REPORTED BY------------

Ayman Hourieh

-----------------------------------
要是虛擬主機，沒法用patch，好像麻煩點。