CSRF vulnerability in AJAX request processing : SA-CONTRIB-2012-036

Looks solid. drupal_get_token() should ideally be called with something specific to the action like a form ID and/or an order ID (or both concatenated together).

Not sure which version the first patch was based on, but function uc_bulk_stock_updater_stock_update_ajax() is slightly different in the git 'master' branch of this module. Here's a reworked patch. I used drupal_get_token('ucbsu') to generate the token.

The patch in #3 seems to fix the issue. I have requested maintainership of this module however they want the patch to be approved prior to approval. I have moved this to the Security project, but if that is not correct please let me know how I could get this patch approved.

Security is unrelated to the security team. http://drupal.org/node/251466 details what you should do and sreynen sent you that link 3 days ago, so it seems odd to say you are not sure if your action is the correct action.

Having reviewed this patch I suggest changing the token generation/validation so that it uses something like the node ID of the item being updated instead of just using ucbsu as the seed of the token.

Any update on this, client still would like to use this.

In this patch, a token based on the product sku is added to each row in the table and is used to validate editable fields in that row. The sku is used instead of the node id, since the sku is already available in the javascript, and it should be unique. (It only makes sense to have unique sku's on your products although I don't think Ubercart actually enforces it.)

This module seems too useful to let it languish, and I'm not aware of anything else that provides a similar feature. So if this patch passes review, I'll apply to be maintainer and work on updating it for D7.