FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- cross site request forgeries

Affected packages
drupal < 4.6.10

Details

VuXML ID 937d5911-5f16-11db-ae08-0008743bf21a
Discovery 2006-10-18
Entry 2006-10-18

The Drupal Team reports:

Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means.

An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in.

References

URL http://drupal.org/drupal-4.7.4
URL http://drupal.org/files/sa-2006-025/advisory.txt