Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-006
- Project: Troll (third-party module)
- Version: 5.x
- Date: 2009 February 11
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site request forgeries (CSRF)
Description
The Troll module provides management tools for community sites to deal with badly behaved users, known as "trolls", including banning users by IP address, advanced user searching, and blocking users by role.
The module does not properly implement the Drupal Form API which makes it vulnerable to Cross Site Request Forgeries (CSRF). Nearly all actions taken by the module can be executed via a cross site request forgery, making it possible for malicious users to for example cause administrators to unknowingly block users and arbitrary IP-ranges from using the site.
Versions affected
- Versions of Troll for Drupal 5.x
The Drupal 6 version by John VanDyk (jvandyk) is not affected. Drupal core is not affected. If you do not use the contributed Troll module, there is nothing you need to do.
Solution
There is no solution available. Disable the module and remove it from your site. See also the Troll project page.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
