* Advisory ID: DRUPAL-SA-CONTRIB-2009-009 * Project: Forward * Versions: 5.x, 6.x * Date: 2009-March-11 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Unrestricted e-mailing (spam)
-------- DESCRIPTION ---------------------------------------------------------
This vulnerability allows spammers or spambots to use sites with the forward module installed to send nearly unlimited e-mail.
Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module.
*Important note*: the security team has received reports of this vulnerability being actively exploited on production sites, and this advisory should be considered urgent.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Drupal 5.x before version 5.x-1.19 * Drupal 6.x development snapshots
Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you are running Drupal 5.x then upgrade to Forward 5.x-1.19 [1]. * If you are running a Drupal 6.x development snapshot from prior to March 11, 2009 then upgrade to 6.x-1.0 [2]
If you are unable to upgrade immediately, you should disable the Forward module as a work-around. -------- REPORTED BY ---------------------------------------------------------
Helmut Debes
Dylan Wilder-Tack
Owen Barton
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://ftp.drupal.org/files/projects/forward-5.x-1.19.tar.gz [2] http://ftp.drupal.org/files/projects/forward-6.x-1.0.tar.gz