[Security-news] SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery
security-news at drupal.org
security-news at drupal.org
Wed Nov 4 16:39:28 UTC 2009
* Advisory ID: SA-CONTRIB-2009-09-090
* Project: User Protect (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-04
* Security risk: Moderate
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
-------- DESCRIPTION
---------------------------------------------------------
User Protect provides various editing protection for users. The protections
can be specific to a user, or applied to all users in a role. User
administrators can be individually configured to be allowed to bypass the
protections. The Drupal Forms API protects against cross site request
forgeries (CSRF [1]), where a malicious site can cause a user to
unintentionally submit a form to a site where he is authenticated. The link
for deleting user protections and administrator bypasses does not follow the
standard Forms API submission model and is therefore not protected against
this type of attack. A CSRF [2] attack may result in the deletion of
protections for users, or administrator bypass settings for user
administrators.
-------- VERSIONS AFFECTED
---------------------------------------------------
* User Protect for Drupal 5.x before User Protect 5.x-1.4
* User Protect for Drupal 6.x before User Protect 6.x-1.3
Drupal core is not affected. If you do not use the contributed User Protect
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 5.x upgrade to User Protect 5.x-1.4 [3].
* If you use Drupal 6.x upgrade to User Protect 6.x-1.3 [4].
Please note that update.php *must* be run as part of this upgrade in order
for the issue to be fully fixed. See also the User Protect project page [5].
-------- REPORTED BY
---------------------------------------------------------
Chad Phillips [6].
-------- FIXED BY
------------------------------------------------------------
Chad Phillips [7].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/node/623180
[4] http://drupal.org/node/623186
[5] http://drupal.org/project/userprotect
[6] http://drupal.org/user/22079
[7] http://drupal.org/user/22079
More information about the Security-news
mailing list