* Advisory ID: DRUPAL-SA-CONTRIB-2009-045 * Project: Moderation (third-party module) * Version: 5.x, 6.x * Date: 2009-07-22 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery

-------- DESCRIPTION ---------------------------------------------------------

The Moderation module uses Ajax to provide a dynamic moderation queue for nodes and comments. The module is vulnerable to cross-site request forgeries (CSRF [1]) via the AJAX hooks used to toggle the moderation bit. It allows a non-administrative user to trick an admin into publishing arbitrary moderated content by directing them to the url via link or image src, etc. -------- VERSIONS AFFECTED ---------------------------------------------------

* Moderation versions 5.x-1.x prior to 5.x-1.2 * Moderation versions 6.x-1.x prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed Moderation module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Install the latest version: * If you use Moderation versions for Drupal 5.x upgrade to Moderation version 5.x-1.2 [2] * If you use Moderation versions for Drupal 6.x upgrade to Moderation version 6.x-1.3 [3]

See also the Moderation [4] project page. -------- REPORTED BY ---------------------------------------------------------

Ben Ford. -------- FIXED BY ------------------------------------------------------------

Stefan Auditor [5], the Moderation project maintainer, with assistance from Ben Jeavons [6] of the Drupal Security Team [7] -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/527866 [3] http://drupal.org/node/527864 [4] http://drupal.org/project/moderation [5] http://drupal.org/user/28074 [6] http://drupal.org/user/91990 [7] http://drupal.org/security-team