Drupal Cross-Site Request Forgery Vulnerability
BID:25099
Info
Drupal Cross-Site Request Forgery Vulnerability
| Bugtraq ID: | 25099 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 27 2007 12:00AM |
| Updated: | Jul 30 2007 06:55PM |
| Credit: | Discovery is credited to Konstantin Käfer and the Drupal Security Team. |
| Vulnerable: |
Drupal Drupal 5.1 revision 1.1 Drupal Drupal 5.1 Drupal Drupal 5.0 |
| Not Vulnerable: |
Drupal Drupal 5.2 |
Discussion
Drupal Cross-Site Request Forgery Vulnerability
Drupal is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to use a victim's cookie credentials to perform actions with the application.
Versions prior to Drupal 5.2 are affected by this issue.
Drupal is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to use a victim's cookie credentials to perform actions with the application.
Versions prior to Drupal 5.2 are affected by this issue.
Exploit / POC
Drupal Cross-Site Request Forgery Vulnerability
To exploit this issue, an attacker must entice an unsuspecting user to access a maliciously crafted HTML document.
To exploit this issue, an attacker must entice an unsuspecting user to access a maliciously crafted HTML document.
Solution / Fix
Drupal Cross-Site Request Forgery Vulnerability
Solution:
The vendor has released Drupal 5.2 to address this issue; please see the references for details.
Drupal Drupal 5.1
Drupal Drupal 5.0
Solution:
The vendor has released Drupal 5.2 to address this issue; please see the references for details.
Drupal Drupal 5.1
-
Drupal drupal-5.2.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz
Drupal Drupal 5.0
-
Drupal drupal-5.2.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz
References
Drupal Cross-Site Request Forgery Vulnerability
References:
References:
- Vendor Homepage (Drupal)
- Drupal security advisory DRUPAL-SA-2007-017 (Drupal)