[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities

From: Heine Deelstra <hdeelstra(at)gmail.com>
Date: Sun Jul 29 2007 - 17:47:49 EDT

---

Drupal security advisory                                  DRUPAL-SA-2007-017
----------------------------------------------------------------------------
Project:          Drupal core
Version:          5.x
Date:             2007-July-26

Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Multiple cross site request forgeries

---

Description

---

Several parts in Drupal core are not protected against cross site request forgeries [1] due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.

Versions affected

---

• Drupal 5.x versions before Drupal 5.2

Solution

---

• If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 5.1 use http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 5.1.

Reported by

---

Konstantin Käfer reported the menu issue. The Drupal security team.

Contact

---

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

// Heine Deelstra, on behalf of the Drupal Security Team.

Received on Mon Jul 30 14:07:35 2007