This was released already in Drupal 6, and needs to be ported to HEAD asap. That patch is attached.
From David Rothstein:
I discovered what appears to be a significant CSRF vulnerability in
update.php. It appears to affect both Drupal 5 and Drupal 6 (Drupal 6
is where I found it, though). The result is that anyone who is logged
in as uid = 1 can be tricked into running any updates on their site,
including old updates that would be damaging or destructive to run a
second time...The vulnerability occurs because
http://api.drupal.org/api/function/update_batch/6 loops through the
$_POST variable directly in deciding which updates to run. This
function occurs outside of form API and therefore is not protected by
any kind of token... therefore, if you can trick someone into visiting
update.php?op=Update with an appropriate $_POST, you can force any
update you want to be run on their site.
note: this vulnerability only occurs for admins logged in as UID 1 and that this is a great example of a reason why you should not do that.
Comment | File | Size | Author |
---|---|---|---|
#1 | 361699-SA-2008-073-D7.patch | 2.62 KB | Dave Reid |
updateD6_2.patch | 2.25 KB | pwolanin | |
Comments
Comment #1
Dave ReidPort finished. Also corrected a capitalization discrepancy for the 'apply pending updates' op.
Comment #2
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.
Comment #4
pwolanin CreditAttribution: pwolanin commentedtagging