what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DRUPAL-SA-2007-017.txt

DRUPAL-SA-2007-017.txt
Posted Jul 31, 2007
Authored by Heine Deelstra | Site drupal.org

Drupal security advisory - Several parts in Drupal core are not protected against cross site request forgeries due to improper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site. Drupal versions 5.x below 5.2 are affected.

tags | advisory
SHA-256 | 46f0c7caa6742d83818685617d68d77ee84321da3ab65a8147df22b8fc719a1d

DRUPAL-SA-2007-017.txt

Change Mirror Download
----------------------------------------------------------------------------
Drupal security advisory DRUPAL-SA-2007-017
----------------------------------------------------------------------------
Project: Drupal core
Version: 5.x
Date: 2007-July-26
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Multiple cross site request forgeries
----------------------------------------------------------------------------

Description
-----------
Several parts in Drupal core are not protected against cross site request
forgeries [1] due to inproper use of the Forms API, or by taking action solely
on GET requests. Malicious users are able to delete comments and content
revisions and disable menu items by enticing a privileged users to visit
certain URLs while the victim is logged-in to the targeted site.


Versions affected
-----------------
- Drupal 5.x versions before Drupal 5.2


Solution
--------
- If you are running Drupal 5.x then upgrade to Drupal 5.2.
http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.

- To patch Drupal 5.1 use
http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch.

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 5.1.


Reported by
-----------
Konstantin Käfer reported the menu issue.
The Drupal security team.


Contact
-------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

// Heine Deelstra, on behalf of the Drupal Security Team.


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close