[Security-news] SA-CONTRIB-2009-009 Forward module can be used as a spam relay

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-009
  * Project: Forward
  * Versions: 5.x, 6.x
  * Date: 2009-March-11
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Unrestricted e-mailing (spam)

-------- DESCRIPTION  
---------------------------------------------------------

This vulnerability allows spammers or spambots to use sites with the forward
module installed to send nearly unlimited e-mail.

Due to improper use of Drupal's flood control API, it is possible for one
user to send an unlimited numbers of mails using the forward module.

*Important note*: the security team has received reports of this
vulnerability being actively exploited on production sites, and this advisory
should be considered urgent.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Drupal 5.x before version 5.x-1.19
  * Drupal 6.x development snapshots

Drupal core is not affected. If you do not use the contributed Forward
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you are running Drupal 5.x then upgrade to Forward 5.x-1.19 [1].
  * If you are running a Drupal 6.x development snapshot from prior to March
    11, 2009 then upgrade to 6.x-1.0 [2]

If you are unable to upgrade immediately, you should disable the Forward
module as a work-around.
-------- REPORTED BY  
---------------------------------------------------------

Helmut Debes

Dylan Wilder-Tack

Owen Barton

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/forward-5.x-1.19.tar.gz
[2] http://ftp.drupal.org/files/projects/forward-6.x-1.0.tar.gz