I just noticed this module and took a quick look at the code. I believe the features to add and delete blocks are vulnerable to a cross-site-request-forgery (CSRF).

Please see http://drupalscout.com/tags/csrf for details on how to identify and how to fix these problems.

Comments

Milena’s picture

Milena commented
Assigned: Unassigned » Milena

Thank you for submitting the issue. You are sure of course. I've put drupal token in block rearranging functions, but I completely forgot to do the same for adding and deleting blocks. Thank you very much for pointing this out. It will be fixed for sure.

Milena’s picture

Milena commented
Status: Active » Fixed

@greggles

I fixed my module. Hope it is safe now. Thank you once more for looking at it.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.