----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2007-017
----------------------------------------------------------------------------
Project:          Drupal core
Version:          5.x
Date:             2007-July-26
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Multiple cross site request forgeries
----------------------------------------------------------------------------

Description
-----------
Several parts in Drupal core are not protected against cross site request
forgeries [1] due to inproper use of the Forms API, or by taking action solely
on GET requests. Malicious users are able to delete comments and content
revisions and disable menu items by enticing a privileged users to visit
certain URLs while the victim is logged-in to the targeted site.


Versions affected
-----------------
- Drupal 5.x versions before Drupal 5.2


Solution
--------
- If you are running Drupal 5.x then upgrade to Drupal 5.2.
   http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.

- To patch Drupal 5.1 use
  http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch.

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 5.1.


Reported by
-----------
Konstantin Käfer reported the menu issue.
The Drupal security team.


Contact
-------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

// Heine Deelstra, on behalf of the Drupal Security Team.