[Security-news] SA-CONTRIB-2009-045: Moderation - Cross Site Request Forgery

security-news at drupal.org security-news at drupal.org
Wed Jul 22 20:22:26 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-045
  * Project: Moderation (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-07-22
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-site Request Forgery

-------- DESCRIPTION  
---------------------------------------------------------

The Moderation module uses Ajax to provide a dynamic moderation queue for
nodes and comments. The module is vulnerable to cross-site request forgeries
(CSRF [1]) via the AJAX hooks used to toggle the moderation bit. It allows a
non-administrative user to trick an admin into publishing arbitrary moderated
content by directing them to the url via link or image src, etc.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Moderation versions 5.x-1.x prior to 5.x-1.2
  * Moderation versions 6.x-1.x prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed Moderation
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Moderation versions for Drupal 5.x upgrade to Moderation
    version 5.x-1.2 [2]
  * If you use Moderation versions for Drupal 6.x upgrade to Moderation
    version 6.x-1.3 [3]

See also the Moderation [4] project page.
-------- REPORTED BY  
---------------------------------------------------------

Ben Ford.
-------- FIXED BY  
------------------------------------------------------------

Stefan Auditor [5], the Moderation project maintainer, with assistance from
Ben Jeavons [6] of the Drupal Security Team [7]
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/527866
[3] http://drupal.org/node/527864
[4] http://drupal.org/project/moderation
[5] http://drupal.org/user/28074
[6] http://drupal.org/user/91990
[7] http://drupal.org/security-team



More information about the Security-news mailing list