Unused functions offer gaping hole for SQL Injection vulnerability

civicrm/drupal/api.php contains several functions. They are basically a massive tool to circumvent the Drupal API. Which is bad enough, however civicrm_drupal_create_user($email, $rid) contains a data-destruction bug (If a role ID is passed in, all of a user's current roles will be deleted), and an SQL injection vulnerability (Though db_query() is used, variables are passed directly into the sql, not as arguments).

Luckily these functions aren't actually called from anywhere (I'm looking at a 2.0 install). I am just looking at Fisheye and I see that the file has already been removed in 2.1 . However, since it exists means that it was probably in use at some point. And so whatever versions did include calls to this function will need to be marked as vulnerable and the community notified.

Since the functions are not actually called anywhere in 2.0, I don't think a security release will need to be made for 2.0.