* Advisory ID: DRUPAL-SA-CONTRIB-2010-074 * Projects: Drupad (third-party module) * Version: 6.x * Date: 2010-07-14 * Security risks: Critical * Exploitable from: Remote * Vulnerability: CSRF
-------- DESCRIPTION ---------------------------------------------------------
The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad. The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mode when a privileged user visits a malicious site. -------- VERSIONS AFFECTED ---------------------------------------------------
* Drupad for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Drupad [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * Upgrade to Drupad 6.x-1.1 [2]
See also the Drupad project page [3]. -------- REPORTED BY ---------------------------------------------------------
* Heine Deelstra [4] of the Drupal security team
-------- FIXED BY ------------------------------------------------------------
* Jérémy Chatard [5], module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/drupad [2] http://drupal.org/node/854034 [3] http://drupal.org/project/drupad [4] http://drupal.org/user/17943 [5] http://drupal.org/user/130002