SA-2008-005 - Drupal core - Cross site request forgery

2008-01-10T00:00:00
ID DRUPAL-SA-2008-005
Type drupal
Reporter Drupal Security Team
Modified 2008-01-10T00:00:00

Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected

  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.

Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.