* Advisory ID: DRUPAL-SA-CONTRIB-2010-110 * Project: Drupal For Firebug (third-party module) * Version: 5.x, 6.x * Date: 2010-Dec-15 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery

-------- DESCRIPTION ---------------------------------------------------------

The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation.

The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries (CSRF [1]), allowing a malicious user to trick an authorized user into executing arbitrary PHP code.

-------- VERSIONS AFFECTED ---------------------------------------------------

* Drupal For Firebug 5.x versions prior to 5.x-1.5 * Drupal For Firebug 6.x versions prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal For Firebug [2] module, there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5 [3] * If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4 [4]

See also the Drupal For Firebug project page [5].

-------- REPORTED BY ---------------------------------------------------------

* mr.baileys [6] of the Drupal security team

-------- FIXED BY ------------------------------------------------------------

* Matt Cheney (populist [7]), module maintainer

-------- CONTACT -------------------------------------------------------------

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [8].

[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery [2] http://drupal.org/project/drupalforfirebug [3] http://drupal.org/node/998568 [4] http://drupal.org/node/998566 [5] http://drupal.org/project/drupalforfirebug [6] http://drupal.org/user/383424 [7] http://drupal.org/user/58600 [8] http://drupal.org/contact