[Security-news] SA-CONTRIB-2009-025 - Fivestar - Cross-site request forgery
security-news at drupal.org
security-news at drupal.org
Wed Apr 29 22:25:50 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-025
* Project: Fivestar (third-party module)
* Version: 5.x, 6.x
* Date: 2009-April-29
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross-site request forgery
-------- DESCRIPTION
---------------------------------------------------------
The Fivestar module provides a voting widget for content and records votes
using Ajax. The URL used by the javascript to register votes is vulnerable to
cross-site request forgeries (CSRF [1]) making it possible for users to
unknowingly vote for content.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Fivestar 5.x-1.x prior to 5.x-1.14
* Fivestar 6.x-1.x prior to 6.x-1.14
Drupal core is not affected. If you do not use the contributed Fivestar
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Fivestar 5.x-1.x upgrade to Fivestar 5.x-1.14 [2]
* If you use Fivestar 6.x-1.x upgrade to Fivestar 6.x-1.14 [3]
See also the Fivestar project page [4].
-------- REPORTED BY
---------------------------------------------------------
John Morahan [5] of the Drupal security team.
-------- FIXED BY
------------------------------------------------------------
Nate Haug (quicksketch) [6] and Moshe Weitzman [7].
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/449028
[3] http://drupal.org/node/449026
[4] http://drupal.org/project/fivestar
[5] http://drupal.org/user/58170
[6] http://drupal.org/user/35821
[7] http://drupal.org/user/23
More information about the Security-news
mailing list