------------SA-2007-033 - FEATURE - CSRF------------
* Advisory ID: DRUPAL-SA-2007-033
* Project: Feature module (third-party module)
* Version: 4.7.x, 5.x
* Date: 2007-December-05
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
------------DESCRIPTION------------
Feature is a contributed module that lets you organize and maintain a feature list by category.
The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The feature deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of features.
To learn more about Cross Site Request Forgeries please read this article [
http://en.wikipedia.org/wiki/Cross-site_request_forgery ].
------------VERSIONS AFFECTED------------
* Feature 4.7.x-dev before December 6, 2007.
* Feature 5.x-dev before December 6, 2007.
------------SOLUTION------------
Install the latest version:
* If you use Drupal 4.7.x upgrade to Feature 4.7.x-1.0 [
http://drupal.org/node/198172 ]
* If you use Drupal 5.x upgrade to Feature 5.x-1.0 [
http://drupal.org/node/198171 ]
------------REPORTED BY------------
Stéphane Corlosquet (scor)
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].