• Advisory ID: DRUPAL-SA-2008-005
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2008-January-10
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross site request forgery

Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected

• Drupal 4.7.x before version 4.7.11.
• Drupal 5.x before version 5.6.

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
• If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch.
• To patch Drupal 5.5 use SA-2008-005-5.5.patch.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.