SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.

Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator’s browser to request specially crafted URLS while the administrator was logged in.

CVE identifier(s) issued

• CVE-2015-3349

Versions affected

• All Htaccess 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Htaccess module for Drupal 7.x, upgrade to Htaccess 7.x-2.3

Also see the htaccess project page.

Reported by

• Pere Orga provisional member of the Drupal Security Team

Fixed by

• Jibus the module maintainer

Coordinated by

• Pere Orga provisional member of the Drupal Security Team