SA-2008-003 - BUEditor - CSRF

• Advisory ID: DRUPAL-SA-2008-003
• Project: BUEditor (third-party module)
• Version: 4.7.x, 5.x
• Date: 2008-January-10
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Cross site request forgery

Description

BUEditor is a plain textarea editor aiming to facilitate code writing. It supports completely customizable interface and button functionality via role-based editors.

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The editor deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of custom editor interfaces.

Versions affected

• BUEditor for Drupal 4.7.x before BUEditor 4.7.x-1.0
• BUEditor for Drupal 5.x before BUEditor 5.x-1.1

Drupal core is not affected. If you do not use the contributed BUEditor module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Drupal 4.7.x upgrade to BUEditor 4.7.x-1.1.
• If you use Drupal 5.x upgrade to BUEditor 5.x-1.1.

See also the BUEditor project page.

Reported by

Stéphane Corlosquet (scor).

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.