SA-CONTRIB-2009-017 - Vote Up/Down - Cross-site request forgery

• Advisory ID: DRUPAL-SA-CONTRIB-2009-017
• Project: Vote Up/Down (third-party module)
• Version: 5.x, 6.x
• Date: 2009-March-25
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Cross-site request forgery

Description

The Vote Up/Down module provides a voting widget for content that records votes using Ajax.

The URL for voting is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.

Versions affected

• Vote Up/Down 5.x-1.x prior to 5.x-1.1
• Vote Up/Down 6.x-1.x prior to 6.x-1.0-beta4

Drupal core is not affected. If you do not use the contributed Vote Up/Down module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Vote Up/Down 5.x-1.x upgrade to Vote Up/Down 5.x-1.1
• If you use Vote Up/Down 6.x-1.x upgrade to Vote Up/Down 6.x-1.0-beta4

See also the Vote Up/Down project page.

Reported by

Alexandr Shvets.

Fixed by

Pratul Kalia.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.