Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-087
- Project: FAQ Ask (third-party module)
- Version: 6.x
- Date: 2009 October 28
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple Vulnerabilities (XSS, CSRF, Open Redirect)
The FAQ Ask module enables site users to ask questions for experts to answer.
The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF) and Cross Site Scripting problems (Cross Site Scripting). These vulnerabilities allow an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page, and gain access to unpublished content on a site.
- FAQ Ask module for Drupal 6.x prior to 6.x-2.0 (including 6.x-1.x)
- FAQ Ask module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed FAQ Ask module, there is nothing you need to do.
Upgrade to the latest version or disable the module.
- If you use FAQ Ask for Drupal 6.x upgrade to version 6.x-2.0
- If you use FAQ Ask for Drupal 5.x it is no longer supported and you should disable it or upgrade your site to 6.x so you can use FAQ Ask 6.x-2.0.
- XSS and CSRF vulnerability reported by Dylan Wilder-Tack
See also the FAQ Ask module project page.
- Fixed by NancyDru.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.