Bug 249400

Summary:	www-apps/drupal-{5,6}.x Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Matti Bickel (RETIRED) <mabi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://drupal.org/node/339553
Whiteboard:
Package list:		Runtime testing required:	---

Description Matti Bickel (RETIRED) gentoo-dev

2008-11-30 16:12:40 UTC

From: http://drupal.org/node/339553

The User Karma module displays and manages karma points of users. How karma points are calculated is defined by other modules which hook into the User Karma module.

Unfortunately the User Karma module allows administrators to enter a list of content types and voting API values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks by malicious users. The module also contains a cross site scripting attack (XSS) vulnerability as some messages are displayed without being sanitized.
Versions Affected

    * Versions of User Karma for Drupal 5.x prior to 5.x-1.13
    * Versions of User Karma for Drupal 6.x prior to 6.x-1.0-beta1

Drupal core is not affected. If you do not use the User Karma module, there is nothing you need to do.

Comment 1 Matti Bickel (RETIRED) gentoo-dev

2008-11-30 16:23:48 UTC

we don't actually ship this plugin. sorry for the noise.