SA-2008-005 – Drupal core – Cross site request forgery

  • Advisory ID: DRUPAL-SA-2008-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery

Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected

  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.

Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Leave a Reply