A SQL injection flaw was found in the way the views module for the Drupal (v6.x based), open-source content-management platform, performed sanitization of the database parameters for certain filters / arguments on certain types of views with specific configuration of arguments. A remote attacker could provide a specially-crafted SQL query, which once processed by the Drupal system instance could lead to arbitrary SQL commands execution. References: [1] http://drupal.org/node/1329898 [2] http://drupal.org/node/1329846
CVE request: [3] http://www.openwall.com/lists/oss-security/2011/11/04/1
This issue has been addressed in the following updates for drupal-views / drupal6-views packages in Fedora and Fedora EPEL: 1) drupal6-views-2.13-1.fc16, 2) drupal6-views-2.13-1.fc15, 3) drupal-views-6.x.2.13-1.fc14, 4) drupal6-views-2.13-1.el6, 5) drupal6-views-2.13-1.el5.
This has been assigned the name CVE-2011-4113: http://www.openwall.com/lists/oss-security/2011/11/04/3