Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-009
- Project: Forward
- Versions: 5.x, 6.x
- Date: 2009-March-11
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Unrestricted e-mailing (spam)
Description
This vulnerability allows spammers or spambots to use sites with the Forward module installed to send nearly unlimited e-mail.
Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module.
Important note: the security team has received reports of this vulnerability being actively exploited on production sites, and this advisory should be considered urgent.
Versions Affected
- Forward module 5.x before version 5.x-1.19
- Forward module 6.x development snapshots
Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.
Solution
Install the latest version:
- If you are running Forward module 5.x then upgrade to Forward 5.x-1.19.
- If you are running a Forward module 6.x development snapshot from prior to March 11, 2009 then upgrade to Forward 6.x-1.0
If you are unable to upgrade immediately, you should disable the Forward module as a work-around.
Reported by
Helmut Debes
Dylan Wilder-Tack
Owen Barton
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
