Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue
From: Uwe Hermann <uwe () hermann-uwe de>
Date: Thu, 19 Oct 2006 19:08:04 +0200

Drupal security advisory                                  DRUPAL-SA-2006-025
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Highly critical
Exploitable from: Remote
Vulnerability:    Cross site request forgeries
Visiting a specially crafted page, anywhere on the web, may allow that page 
to post forms to a Drupal site in the context of the visitor's session. 
To illustrate; suppose one has an active user 1 session, the most powerful 
administrator account for a site, to a Drupal site while visiting a website 
created by an attacker. This website will now be able to submit any form to 
the Drupal site with the privileges of user 1, either by enticing the user to 
submit a form or by automated means.

An attacker can exploit this vulnerability by changing passwords, posting PHP 
code or creating new users, for example. The attack is only limited by the 
privileges of the session it executes in.

Versions affected
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.

- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and 
do not fix bugs that were solved in 4.6.10 or 4.7.4.

Important note for Drupal 4.6.10
Any custom forms that do not use the proper form API functions, such as raw HTML 
forms, will break for authenticated users and need to be updated. The easiest 
way to do so is to add the output of form_token() before the closing form tag. 
For phptemplate themes, add the following code before the closing form tag:
<?php print form_token() ?>
A number of modules and themes generate raw HTML forms. Check the list of 
modules and themes, to see if that is an issue for your site.
We advise you test modules and themes in use before committing to an upgrade.

Important note for Drupal 4.7.4
Drupal 4.7.4 adds a new form field to all forms. Contributed modules and themes 
that assume only specific, known form fields to be present, may break on 
Drupal 4.7.4.

We advise you test modules and themes in use before committing to an upgrade.

Reported by
Garvin Hicking.

The security contact for Drupal can be reached at security at drupal.org or 
using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.
Uwe Hermann 
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

Attachment: signature.asc
Description: Digital signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [DRUPAL-SA-2006-025] Drupal 4.6.10 / 4.7.4 fixes CRF issue Uwe Hermann (Oct 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]