Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
BID:51826
Info
Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
| Bugtraq ID: | 51826 |
| Class: | Unknown |
| CVE: |
CVE-2012-1056 CVE-2012-1057 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 02 2012 12:00AM |
| Updated: | Mar 19 2015 07:35AM |
| Credit: | Greg Knaddison (greggles) |
| Vulnerable: |
Drupal Forward 7.x-1.2 Drupal Forward 7.x-1.1 Drupal Forward 7.x-1.0 Drupal Forward 6.x-1.20 Drupal Forward 6.x-1.19 Drupal Forward 6.x-1.12 Drupal Forward 6.x-1.11 Drupal Forward 6.x-1.0 |
| Not Vulnerable: |
Drupal Forward 7.x-1.3 Drupal Forward 6.x-1.21 |
Discussion
Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
Forward Module for Drupal is prone to a cross-site request-forgery vulnerability and multiple security-bypass vulnerabilities.
Exploiting the security-bypass issues may allow a remote attacker to gain unauthorized access to the protected areas of the application. Other attacks are also possible.
An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The following versions are vulnerable:
Forward 6.x-1.x versions prior to 6.x-1.21
Forward 7.x-1.x versions prior to 7.x-1.3
Forward Module for Drupal is prone to a cross-site request-forgery vulnerability and multiple security-bypass vulnerabilities.
Exploiting the security-bypass issues may allow a remote attacker to gain unauthorized access to the protected areas of the application. Other attacks are also possible.
An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The following versions are vulnerable:
Forward 6.x-1.x versions prior to 6.x-1.21
Forward 7.x-1.x versions prior to 7.x-1.3
Exploit / POC
Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
An attacker can exploit these issues through a browser. To exploit the cross-site request-forgery issue, the attacker must entice an unsuspecting victim into following a malicious URI.
An attacker can exploit these issues through a browser. To exploit the cross-site request-forgery issue, the attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
Solution:
Updates are available. Please see the references for details.
Solution:
Updates are available. Please see the references for details.
References
Drupal Forward Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
References:
References:
- Drupal Homepage (Drupal)
- Forward Homepage (Drupal)
- SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass (Drupal)