Multiple vulnerabilities in Database Administration (dba) module
------------MULTIPLE VULNERABILITIES IN DATABASE ADMINISTRATION (DBA) MODULE------------
* Advisory ID: DRUPAL-SA-2007-013.
* Project: Database Administration (third-party module).
* Version: 4.6.x-1.*, 4.7.x-1.*.
* Date: 2007-April-11.
* Security risk: Critical.
* Exploitable from: Remote.
* Vulnerability: Cross site scripting and cross site request forgery.
------------DESCRIPTION------------
The Database Administration (dba) module allows site administrators with
sufficient privileges to view and directly modify the Drupal database tables for
a site. Numerous cross-site scripting (XSS) vulnerabilities were discovered
when the administrator runs queries to display data from the database, and in
other parts of the user interface. Learn more about XSS on Wikipedia
[http://en.wikipedia.org/wiki/Cross_site_scripting].
Additionally, the module was never fully ported to the Drupal Form API, so
there were places in the code that were still vulnerable to cross-site request
forgery (CSRF) attacks. See DRUPAL-SA-2006-025 [http://drupal.org//node/88828]
for more information.
Disabling the Database administration module provides an immediate workaround.
------------VERSIONS AFFECTED------------
* Database administration (dba) 4.7.x-1.* before version 4.7.x-1.2.
* All versions of dba.module 4.6.x-*.
Drupal core is not affected. If you do not use the contributed Database
administration module, there is nothing you need to do.
------------SOLUTION------------
* If your site is running 4.7.x, install the latest version: Database
administration 4.7.x-1.2 [http://drupal.org//node/135552].
* If your site is running 4.6.x, you should disable the dba.module. This
version is no longer supported and the currently released 4.6.x versions are
insecure.
Reported by:
* XSS by Derek Wright (dww [http://drupal.org/user/46549]) of the Drupal
Security Team.
* CSRF by Heine Deelstra (Heine [http://drupal.org/user/17943]) of the Drupal
Security Team.