SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery

The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete smileys. A user with “administer smileys” permission could be tricked into visiting the smiley delete URL and unwittingly remove smileys from the site.

Versions affected

• Smileys module for Drupal 5.x version prior to 5.x-1.2.

Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.

Drupal core is not affected. If you do not use the contributed Smileys module, there is nothing you need to do.

Solution

Install the latest version.

• If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys 5.x-1.2

See also the Smileys project page.

Reported by

• Andrey Tretyakov

Fixed by

• Gurpartap Singh, the module maintainer
• mr.baileys of the Drupal security team.