[Security-news] SA-CONTRIB-2009-045: Moderation - Cross Site Request Forgery
security-news at drupal.org
security-news at drupal.org
Wed Jul 22 20:22:26 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-045
* Project: Moderation (third-party module)
* Version: 5.x, 6.x
* Date: 2009-07-22
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Moderation module uses Ajax to provide a dynamic moderation queue for
nodes and comments. The module is vulnerable to cross-site request forgeries
(CSRF [1]) via the AJAX hooks used to toggle the moderation bit. It allows a
non-administrative user to trick an admin into publishing arbitrary moderated
content by directing them to the url via link or image src, etc.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Moderation versions 5.x-1.x prior to 5.x-1.2
* Moderation versions 6.x-1.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Moderation
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Moderation versions for Drupal 5.x upgrade to Moderation
version 5.x-1.2 [2]
* If you use Moderation versions for Drupal 6.x upgrade to Moderation
version 6.x-1.3 [3]
See also the Moderation [4] project page.
-------- REPORTED BY
---------------------------------------------------------
Ben Ford.
-------- FIXED BY
------------------------------------------------------------
Stefan Auditor [5], the Moderation project maintainer, with assistance from
Ben Jeavons [6] of the Drupal Security Team [7]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/527866
[3] http://drupal.org/node/527864
[4] http://drupal.org/project/moderation
[5] http://drupal.org/user/28074
[6] http://drupal.org/user/91990
[7] http://drupal.org/security-team
More information about the Security-news
mailing list