* Advisory ID: DRUPAL-SA-CONTRIB-2009-017 * Project: Vote Up/Down (third-party module) * Version: 5.x, 6.x * Date: 2009-March-25 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross-site request forgery
-------- DESCRIPTION ---------------------------------------------------------
The Vote Up/Down module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries (CSRF [1]) making it possible for users to unknowingly vote for content. -------- VERSIONS AFFECTED ---------------------------------------------------
* Vote Up/Down 5.x-1.x prior to 5.x-1.1 * Vote Up/Down 6.x-1.x prior to 6.x-1.0-beta4
Drupal core is not affected. If you do not use the contributed Vote Up/Down module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Vote Up/Down 5.x-1.x upgrade to Vote Up/Down 5.x-1.1 [2] * If you use Vote Up/Down 6.x-1.x upgrade to Vote Up/Down 6.x-1.0-beta4 [3]
See also the Vote Up/Down project page [4]. -------- REPORTED BY ---------------------------------------------------------
Alexandr Shvets [5]. -------- FIXED BY ------------------------------------------------------------
Pratul Kalia [6]. -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/413818 [3] http://drupal.org/node/413896 [4] http://drupal.org/project/vote_up_down [5] http://drupal.org/user/233667 [6] http://drupal.org/user/162357