Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities

from [Heine Deelstra] Network Security [Permanent Link]
Subject: [DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities
Date: Sun, 29 Jul 2007 23:47:49 +0200 
----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2007-017
----------------------------------------------------------------------------
Project:          Drupal core
Version:          5.x
Date:             2007-July-26
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Multiple cross site request forgeries
----------------------------------------------------------------------------

Description
-----------
Several parts in Drupal core are not protected against cross site request
forgeries [1] due to inproper use of the Forms API, or by taking action solely
on GET requests. Malicious users are able to delete comments and content
revisions and disable menu items by enticing a privileged users to visit
certain URLs while the victim is logged-in to the targeted site.


Versions affected
-----------------
- Drupal 5.x versions before Drupal 5.2


Solution
--------
- If you are running Drupal 5.x then upgrade to Drupal 5.2.
   http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.

- To patch Drupal 5.1 use
  http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch.

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 5.1.


Reported by
-----------
Konstantin Käfer reported the menu issue.
The Drupal security team.


Contact
-------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

// Heine Deelstra, on behalf of the Drupal Security Team.

Attachment: signature.asc
Description: OpenPGP digital signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities, Heine Deelstra <=
Previous by Date:  [DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities, Heine Deelstra
Next by Date:  RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability, ilkerkandemir
Previous by Thread:  [DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities, Heine Deelstra
Next by Thread:  RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability, ilkerkandemir
Indexes:  [Date] [Thread] [Top] [All Lists]