* Advisory ID: DRUPAL-SA-CONTRIB-2010-105 * Project: Outline Designer (third-party module) * Version: 6.x * Date: 2010-December-01 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Outline Designer allows for easier creation and management of items in a Book. The Outline Designer modules does not properly protect some of its paths against Cross Site Request Forgeries (CSRF), allowing an attacker to get a user with the permission to administer site configuration to change any book nodes. -------- VERSIONS AFFECTED --------------------------------------------------- * Outline Designer for Drupal 6.x prior to Outline Designer 6.x-1.2 Drupal core is not affected. If you do not use the contributed module Outline Designer there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Outline Designer for Drupal 6.x upgrade to Outline Designer 6.x-1.2 [1] See also the Outline Designer [2] project page. -------- REPORTED BY --------------------------------------------------------- * Bryan Ollendyke (btopro [3]), module maintainer -------- FIXED BY ------------------------------------------------------------ * Bryan Ollendyke (btopro [4]), module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [5], writing secure code for Drupal [6], and secure configuration [7] of your site. [1] http://drupal.org/node/954666 [2] http://drupal.org/project/outline_designer [3] http://drupal.org/user/24286 [4] http://drupal.org/user/24286 [5] http://drupal.org/security-team [6] http://drupal.org/writing-secure-code [7] http://drupal.org/security/secure-configuration