Drupal 4.6.10 / 4.7.4 fixes CRF issue

Advisory Content :

------------------------------------------------------------------------
----
Drupal security advisory
DRUPAL-SA-2006-025
------------------------------------------------------------------------
----
Project: Drupal core
Date: 2006-Oct-18
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Cross site request forgeries
------------------------------------------------------------------------
----

Description
-----------
Visiting a specially crafted page, anywhere on the web, may allow that page

to post forms to a Drupal site in the context of the visitor's session.
To illustrate; suppose one has an active user 1 session, the most powerful

administrator account for a site, to a Drupal site while visiting a website

created by an attacker. This website will now be able to submit any form to

the Drupal site with the privileges of user 1, either by enticing the user
to
submit a form or by automated means.

An attacker can exploit this vulnerability by changing passwords, posting
PHP
code or creating new users, for example. The attack is only limited by the

privileges of the session it executes in.

Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

Solution
--------
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz

- To patch Drupal 4.6.9 use
http://drupal.org/files/sa-2006-025/4.6.9.patch.
- To patch Drupal 4.7.3 use
http://drupal.org/files/sa-2006-025/4.7.3.patch.

Please note that the patches only contain changes related to this advisory,
and
do not fix bugs that were solved in 4.6.10 or 4.7.4.

Important note for Drupal 4.6.10
--------------------------------
Any custom forms that do not use the proper form API functions, such as raw
HTML
forms, will break for authenticated users and need to be updated. The
easiest
way to do so is to add the output of form_token() before the closing form
tag.
For phptemplate themes, add the following code before the closing form
tag:
<?php print form_token() ?>
A number of modules and themes generate raw HTML forms. Check the list of
modules and themes, to see if that is an issue for your site.
We advise you test modules and themes in use before committing to an
upgrade.

Important note for Drupal 4.7.4
-------------------------------
Drupal 4.7.4 adds a new form field to all forms. Contributed modules and
themes
that assume only specific, known form fields to be present, may break on
Drupal 4.7.4.

We advise you test modules and themes in use before committing to an
upgrade.

Reported by
-----------
Garvin Hicking.

Contact
-------
The security contact for Drupal can be reached at security at drupal.org or

using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.
--
Uwe Hermann
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFN7D0XdVoV3jWIbQRAi9gAJ9sGhKLk1dZbc1gPec9r0AdDk40LQCbBIIW
hESYAmvWkPSRf5THS5F1qz8=
=9D02
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Drupal 4.6.10 / 4.7.4 fixes CRF issue