看板 Bugtraq 關於我們 聯絡資訊
發信人hdeelstra@gmail.com (Heine Deelstra),
看板Bugtraq
標 題[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities
發信站NCTU CSIE FreeBSD Server (Tue Jul 31 10:11:40 2007)
轉信站ptt!FreeBSD.csie.NCTU!not-for-mail
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9ABE487E4BC139F644FB613E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable -------------------------------------------------------------------------= --- Drupal security advisory DRUPAL-SA-2007-= 017 -------------------------------------------------------------------------= --- Project: Drupal core Version: 5.x Date: 2007-July-26 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple cross site request forgeries -------------------------------------------------------------------------= --- Description ----------- Several parts in Drupal core are not protected against cross site request= forgeries [1] due to inproper use of the Forms API, or by taking action s= olely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site. Versions affected ----------------- - Drupal 5.x versions before Drupal 5.2 Solution -------- - If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz Drupal 4.7.x is not affected. If you are unable to upgrade immediately, you can apply a patch to secure= your installation until you are able to do a proper upgrade. - To patch Drupal 5.1 use http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch. Please note that the patches only contain changes related to this advisor= y, and do not fix bugs that were solved in 5.1. Reported by ----------- Konstantin K=E4fer reported the menu issue. The Drupal security team. Contact ------- The security contact for Drupal can be reached at security at drupal.org = or using the form at http://drupal.org/contact. // Heine Deelstra, on behalf of the Drupal Security Team. --------------enig9ABE487E4BC139F644FB613E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFGrQsObKWM8aH9+sIRCMgyAKDjOaVYkLzYvqv/UdxB7OSpUpVDKACfeY7b xwM4tdWBhiEBDAi8PG8BIeI= =qdcY -----END PGP SIGNATURE----- --------------enig9ABE487E4BC139F644FB613E--