Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: Feature - CSRF http://forum.scoutnet.be/viewtopic.php?f=19&t=2020 |
Pagina 1 van 1 |
Auteur: | To [ 06 Dec 2007 19:56 ] |
Titel: | [Drupal] Security announcements: Feature - CSRF |
------------SA-2007-033 - FEATURE - CSRF------------ * Advisory ID: DRUPAL-SA-2007-033 * Project: Feature module (third-party module) * Version: 4.7.x, 5.x * Date: 2007-December-05 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site request forgery ------------DESCRIPTION------------ Feature is a contributed module that lets you organize and maintain a feature list by category. The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The feature deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of features. To learn more about Cross Site Request Forgeries please read this article [ http://en.wikipedia.org/wiki/Cross-site_request_forgery ]. ------------VERSIONS AFFECTED------------ * Feature 4.7.x-dev before December 6, 2007. * Feature 5.x-dev before December 6, 2007. ------------SOLUTION------------ Install the latest version: * If you use Drupal 4.7.x upgrade to Feature 4.7.x-1.0 [ http://drupal.org/node/198172 ] * If you use Drupal 5.x upgrade to Feature 5.x-1.0 [ http://drupal.org/node/198171 ] ------------REPORTED BY------------ Stéphane Corlosquet (scor) ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |