Issue for fixing SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF) - Unsupported :

Problem

"The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted URL."

CommentFileSizeAuthor
#2 tracking_code-SA-CONTRIB-2015-066-2450135-2.patch6.12 KBfathershawn

Comments

fathershawn’s picture

fathershawn
Primary language English
Location New York
commented
Assigned: Unassigned » fathershawn

We have a client willing to sponsor fixing this issue. If you have specific concerns about the vulnerability, please contact me via my contact form rather than discuss a vulnerability here.

If you have questions about the process, or non-technical concerns about the Security status, please do post them here.

fathershawn’s picture

fathershawn
Primary language English
Location New York
commented
Status: Active » Needs review
StatusFileSize
new tracking_code-SA-CONTRIB-2015-066-2450135-2.patch6.12 KB

Here's the patch

silkogelman’s picture

silkogelman commented

tested:
the patch applies perfectly on latest dev
tested with both a fresh Drupal install and an existing install:
all module functionality seems to work fine after the patch.
(managing snippets from UI, the snippets appearing in the source code of the desired pages)

I have NOT tested if it solves the security issue. (I'll leave that for the security team as I don't have that skill set)

grendzy’s picture

grendzy commented
Status: Needs review » Reviewed & tested by the community

On behalf of the Drupal Security Team, I've confirmed this patch resolves the CSRF issue. Thanks!

silkogelman’s picture

silkogelman commented

Awesome! Thanks guys!

  • FatherShawn committed 77c8c3d on 7.x-1.x 
    Issue #2450135 by FatherShawn: Fix SA-CONTRIB-2015-066
pere orga’s picture

pere orga
Primary language Catalan
commented

Updated advisory and published the release

Thanks!

pere orga’s picture

pere orga
Primary language Catalan
commented
Status: Reviewed & tested by the community » Fixed
fathershawn’s picture

fathershawn
Primary language English
Location New York
commented
Status: Fixed » Closed (fixed)