Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-2008-005
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2008-January-10
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
- Drupal 4.7.x before version 4.7.11.
- Drupal 5.x before version 5.6.
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
- If you are running Drupal 5.x then upgrade to Drupal 5.6.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
The Drupal security team.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.