Smileys Module For Drupal Delete URI Cross Site Request Forgery Vulnerability

Bugtraq ID:	39316
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 08 2010 12:00AM
Updated:	Apr 08 2010 12:00AM
Credit:	Andrey Tretyakov
Vulnerable:	Gurpartap Singh Smileys 6.x-1.0-alpha5 Gurpartap Singh Smileys 5.x-1.1
Not Vulnerable:	Gurpartap Singh Smileys 5.x-1.2

Smileys Module For Drupal Delete URI Cross Site Request Forgery Vulnerability

The Smileys module for Drupal is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.

The following versions are vulnerable:
Versions prior to Smileys 5.x-1.2
Smileys 6.x-1.0-alpha5 and prior

Smileys Module For Drupal Delete URI Cross Site Request Forgery Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Smileys Module For Drupal Delete URI Cross Site Request Forgery Vulnerability

Solution:
Updates are available. Please see the references for more information.

Smileys Module For Drupal Delete URI Cross Site Request Forgery Vulnerability

References:

• Snileys Homepage (Gurpartap Singh)
  
• SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery (Drupal)