Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-005
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2008-January-10
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
Description
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
Versions affected
- Drupal 4.7.x before version 4.7.11.
- Drupal 5.x before version 5.6.
Solution
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
- If you are running Drupal 5.x then upgrade to Drupal 5.6.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch.
- To patch Drupal 5.5 use SA-2008-005-5.5.patch.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
