[DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue

2006-10-21T00:00:00

Description

------------------------------------------------------------------------ ---- Drupal security advisory DRUPAL-SA-2006-025 ------------------------------------------------------------------------ ---- Project: Drupal core Date: 2006-Oct-18 Security risk: Highly critical Exploitable from: Remote Vulnerability: Cross site request forgeries ------------------------------------------------------------------------ ---- Description ----------- Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means. An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in. Versions affected ----------------- - Drupal 4.6.x versions before Drupal 4.6.10 - Drupal 4.7.x versions before Drupal 4.7.4 Solution -------- - If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz - To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch. - To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4. Important note for Drupal 4.6.10 -------------------------------- Any custom forms that do not use the proper form API functions, such as raw HTML forms, will break for authenticated users and need to be updated. The easiest way to do so is to add the output of form_token() before the closing form tag. For phptemplate themes, add the following code before the closing form tag: <?php print form_token() ?> A number of modules and themes generate raw HTML forms. Check the list of modules and themes, to see if that is an issue for your site. We advise you test modules and themes in use before committing to an upgrade. Important note for Drupal 4.7.4 ------------------------------- Drupal 4.7.4 adds a new form field to all forms. Contributed modules and themes that assume only specific, known form fields to be present, may break on Drupal 4.7.4. We advise you test modules and themes in use before committing to an upgrade. Reported by ----------- Garvin Hicking. Contact ------- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFN7D0XdVoV3jWIbQRAi9gAJ9sGhKLk1dZbc1gPec9r0AdDk40LQCbBIIW hESYAmvWkPSRf5THS5F1qz8= =9D02 -----END PGP SIGNATURE-----

{"id": "SECURITYVULNS:DOC:14755", "bulletinFamily": "software", "title": "[DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue", "description": "------------------------------------------------------------------------\r\n----\r\nDrupal security advisory DRUPAL-SA-2006-025\r\n------------------------------------------------------------------------\r\n----\r\nProject: Drupal core\r\nDate: 2006-Oct-18\r\nSecurity risk: Highly critical\r\nExploitable from: Remote\r\nVulnerability: Cross site request forgeries\r\n------------------------------------------------------------------------\r\n----\r\n\r\nDescription\r\n-----------\r\nVisiting a specially crafted page, anywhere on the web, may allow that page \r\nto post forms to a Drupal site in the context of the visitor's session. \r\nTo illustrate; suppose one has an active user 1 session, the most powerful \r\nadministrator account for a site, to a Drupal site while visiting a website \r\ncreated by an attacker. This website will now be able to submit any form to \r\nthe Drupal site with the privileges of user 1, either by enticing the user to \r\nsubmit a form or by automated means.\r\n\r\nAn attacker can exploit this vulnerability by changing passwords, posting PHP \r\ncode or creating new users, for example. The attack is only limited by the \r\nprivileges of the session it executes in.\r\n\r\nVersions affected\r\n-----------------\r\n- Drupal 4.6.x versions before Drupal 4.6.10\r\n- Drupal 4.7.x versions before Drupal 4.7.4\r\n\r\nSolution\r\n--------\r\n- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.\r\nhttp://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz\r\n- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.\r\nhttp://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz\r\n\r\n- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch.\r\n- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch.\r\n\r\nPlease note that the patches only contain changes related to this advisory, and \r\ndo not fix bugs that were solved in 4.6.10 or 4.7.4.\r\n\r\nImportant note for Drupal 4.6.10\r\n--------------------------------\r\nAny custom forms that do not use the proper form API functions, such as raw HTML \r\nforms, will break for authenticated users and need to be updated. The easiest \r\nway to do so is to add the output of form_token() before the closing form tag. \r\nFor phptemplate themes, add the following code before the closing form tag:\r\n<?php print form_token() ?>\r\nA number of modules and themes generate raw HTML forms. Check the list of \r\nmodules and themes, to see if that is an issue for your site.\r\nWe advise you test modules and themes in use before committing to an upgrade.\r\n\r\nImportant note for Drupal 4.7.4\r\n-------------------------------\r\nDrupal 4.7.4 adds a new form field to all forms. Contributed modules and themes \r\nthat assume only specific, known form fields to be present, may break on \r\nDrupal 4.7.4.\r\n\r\nWe advise you test modules and themes in use before committing to an upgrade.\r\n\r\nReported by\r\n-----------\r\nGarvin Hicking.\r\n\r\nContact\r\n-------\r\nThe security contact for Drupal can be reached at security at drupal.org or \r\nusing the form at http://drupal.org/contact.\r\n\r\n// Uwe Hermann, on behalf of the Drupal Security Team.\r\n-- \r\nUwe Hermann \r\nhttp://www.hermann-uwe.de\r\nhttp://www.it-services-uh.de | http://www.crazy-hacks.org \r\nhttp://www.holsham-traders.de | http://www.unmaintained-free-software.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niD8DBQFFN7D0XdVoV3jWIbQRAi9gAJ9sGhKLk1dZbc1gPec9r0AdDk40LQCbBIIW\r\nhESYAmvWkPSRf5THS5F1qz8=\r\n=9D02\r\n-----END PGP SIGNATURE-----\r\n\r\n", "published": "2006-10-21T00:00:00", "modified": "2006-10-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14755", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 25, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6737"]}]}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659730939}}