the new node links have no CSRF protection. They should have a token appended on the request to node/[nid]/toggle and fasttoggle_nodeoption() should run drupal_validate_token() on it before saving the node. it is possible to maliciously cause a browser to POST to an arbitrary URL using a flash vulnerability which has not been patched to my knowledge.

Comments

kkaefer’s picture

kkaefer commented
Status: Active » Fixed

Thanks for reporting. Fixed in HEAD.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)