SA-2007-029 – Drupal core – User deletion cross site request forgery

  • Advisory ID: DRUPAL-SA-2007-029
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery

Description

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.

Versions affected

  • Drupal 5.x before version 5.3.

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

This vulnerability was discovered during an audit of Drupal 5.1 by Stefan Esser and Mayflower GmbH. This audit was commissioned by die Zeit Online GmbH.

We wish to thank die Zeit Online for sharing the results with us.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Leave a Reply