Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security. This post is a response to that issue.
The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger problem.
The Drupal Security team provides an easy way to report issues by sending emails to security@drupal.org, and we will credit researchers with all issues they report in this manner. No formal report of this issue was filed directly with our team. We encourage all researchers to follow the practice of responsible disclosure, and report directly to our team to ensure both that we can provide public credit for authentic vulnerabilities, and keep our users as secure as possible.
Please see the handbook page for the latest description of how to report security issues.
For more details please see Detailed response to publicly posted CSRF concerns in Drupal 7.12. Comments are closed on this post to direct conversation to that post. Individuals interested in Drupal's security are encouraged to join and participate in the Best Practices in Drupal Security discussion group.
About this response
The Drupal Security Team generally does not respond to unsubstantiated issues, and we maintain that this report is erroneous. However, due to the widespread republishing of this report, we felt a response was necessary. We encourage security-minded sites and individuals to evaluate the quality, accuracy, and risk of individual reports before re-publishing them.
Thanks to Owen Barton, Matt Chapman, Stéphane Corlosquet, Heine Deelstra, Michael Hess, Greg Knaddison, Ben Jeavons, Forest Monsen, Károly Négyesi, Dave Reid, David Rothstein, Mori Sugimoto, Dylan Tack, and Damien Tournoud who helped craft our response.
