* Advisory ID: DRUPAL-SA-CONTRIB-2009-009 * Project: Forward * Versions: 5.x, 6.x * Date: 2009-March-11 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Unrestricted e-mailing (spam)

-------- DESCRIPTION ---------------------------------------------------------

This vulnerability allows spammers or spambots to use sites with the forward module installed to send nearly unlimited e-mail.

Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module.

*Important note*: the security team has received reports of this vulnerability being actively exploited on production sites, and this advisory should be considered urgent.

-------- VERSIONS AFFECTED ---------------------------------------------------

* Drupal 5.x before version 5.x-1.19 * Drupal 6.x development snapshots

Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you are running Drupal 5.x then upgrade to Forward 5.x-1.19 [1]. * If you are running a Drupal 6.x development snapshot from prior to March 11, 2009 then upgrade to 6.x-1.0 [2]

If you are unable to upgrade immediately, you should disable the Forward module as a work-around. -------- REPORTED BY ---------------------------------------------------------

Helmut Debes

Dylan Wilder-Tack

Owen Barton

-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/forward-5.x-1.19.tar.gz [2] http://ftp.drupal.org/files/projects/forward-6.x-1.0.tar.gz