Drupal core – Cross site request forgeries

  • Advisory ID: DRUPAL-SA-2007-017
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site request forgeries


Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.

Versions affected

  • Drupal 5.x before version 5.2.


Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

  • Konstantin Käfer reported the menu issue.
  • The Drupal security team.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Leave a Reply