• Advisory ID: DRUPAL-SA-CONTRIB-2009-102
  • Project: PHPList Inegration Module (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-18
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery


The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application.

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticated. The links for subscribing and un-subscribing to and from mailing lists in "My Account" do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in unintentional subscription or un-subscription of site users to PHPList mailing lists.

Versions affected

  • PHPList Integration Module for Drupal 5 before 5.x-1.2
  • PHPList Integration Module for Drupal 6 before 6.x-1.1

Drupal core is not affected. If you do not use the contributed PHPList Integration module, there is nothing you need to do.


Install the latest version:

If you use Drupal 5.x upgrade to PHPList Integration Module 5.x-1.2.
If you use Drupal 6.x upgrade to PHPList Integration Module 6.x-1.1.

See also the PHPList Integration Module project page.

Reported by

Peter Wolanin of the Drupal Security Team

Fixed by

Paul Beaney the module maintainer.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.