[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-074 - Drupad - Cross-site request forgery

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-074
  * Projects: Drupad (third-party module)
  * Version: 6.x
  * Date: 2010-07-14
  * Security risks: Critical
  * Exploitable from: Remote
  * Vulnerability: CSRF

-------- DESCRIPTION  
---------------------------------------------------------

The Drupad module is the companion module of the iPhone / iPodTouch
application also called Drupad. The module doesn't check if the incoming
request is made from the application, leading to a CSRF vulneraby. This
vulnerability can be used to delete users and content, or set the site in
offline mode when a privileged user visits a malicious site.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Drupad for Drupal 6.x versions prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed Drupad [1]
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * Upgrade to Drupad 6.x-1.1 [2]

See also the Drupad project page [3].
-------- REPORTED BY  
---------------------------------------------------------

  * Heine Deelstra [4] of the Drupal security team

-------- FIXED BY  
------------------------------------------------------------

  * Jérémy Chatard [5], module maintainer

-------- CONTACT  
-------------------------------------------------------------

The Drupal security team can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/drupad
[2] http://drupal.org/node/854034
[3] http://drupal.org/project/drupad
[4] http://drupal.org/user/17943
[5] http://drupal.org/user/130002

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news