------------SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------
* Advisory ID: DRUPAL-SA-2008-005
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
------------DESCRIPTION------------
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an tag with a specially constructed src pointing to a remove items URL, the items would be removed.
------------VERSIONS AFFECTED------------
* Drupal 4.7.x before version 4.7.11.
* Drupal 5.x before version 5.6.
------------SOLUTION------------
Install the latest version:
* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.6 [
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
* To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ].
* To patch Drupal 5.5 use SA-2008-005-5.5.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ].
------------REPORTED BY------------
The Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].