• Advisory ID: DRUPAL-SA-2008-068
  • Project: Localization client and Localization server (third-party modules)
  • Versions: 5.x, 6.x
  • Date: 2008-October-22
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery

Description

The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The server also provides an interface for the client to send in translation suggestions.

The client's local translation submission interface, approving and declining suggestions on the server and the client's remote submission to the server are implemented in ways, which are vulnerable to cross site request forgeries (CSRF). This may lead to unintended modifications of translated strings on the client, unintended rejection or approval of suggestions or unintended remote suggestion submissions on the sever, when a sufficiently privileged user visits a page or site created by a malicious person.

Versions Affected

  • Versions of Localization client for Drupal 5.x prior to 5.x-1.1 and for Drupal 6.x prior to 6.x-1.6
  • Versions of Localization server for Drupal 5.x prior to 5.x-1.0-alpha5 and for Drupal 6.x prior to 6.x-alpha2

Drupal core is not affected. If you do not use the Localization client or Localization server modules, there is nothing you need to do.

Solution

Install the latest version.

Also see the Localization client project page and the Localization server project page.

Reported by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.