[Security-news] SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery
security-news at drupal.org
security-news at drupal.org
Wed Apr 7 22:10:42 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-035
* Project: Smileys (third-party module)
* Versions: 5.x
* Date: 2010-April-07
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Smileys module provides a text filter that substitutes emoticons with
images. The module is vulnerable to cross-site request forgeries (CSRF [1])
via the URL used to delete smileys. A user with "administer smileys"
permission could be tricked into visiting the smiley delete URL and
unwittingly remove smileys from the site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Smileys module for Drupal 5.x version prior to 5.x-1.2 [2].
*Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x
are also affected. However, the security team does not provide support for
alpha releases.* Drupal core is not affected. If you do not use the
contributed Smileys module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys
5.x-1.2 [3]
See also the Smileys project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Andrey Tretyakov [5]
-------- FIXED BY
------------------------------------------------------------
* Gurpartap Singh [6], the module maintainer
* mr.baileys [7] of the Drupal security team.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/764826
[3] http://drupal.org/node/764826
[4] http://drupal.org/project/smileys
[5] http://drupal.org/user/169459
[6] http://drupal.org/user/41470
[7] http://drupal.org/user/383424
[8] http://drupal.org/contact
More information about the Security-news
mailing list