SA-CONTRIB-2009-010 Plus 1 - Cross-site request forgery
Drupal Security Team - March 18, 2009 - 17:54
- Advisory ID: DRUPAL-SA-CONTRIB-2009-010
- Project: Plus 1 (third-party module)
- Version: 6.x
- Date: 2009 March 18
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross-site request forgery (CSRF)
Description
The Plus 1 module provides a voting widget for content that records votes using Ajax.
The URL for voting is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.
Versions affected
- Versions of Plus 1 prior to 6.x-2.6
Drupal core is not affected. If you do not use the contributed Plus 1 module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Plus 1 for Drupal 6.x upgrade to Plus 1 6.x-2.6
See also the Plus 1 project page.
Reported by
Greg Knaddison of the Drupal security team.
Fixed by
Greg Knaddison, Ben Jeavons, Neil Drumm, and Caroline Schnapp.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.