• Advisory ID: DRUPAL-SA-CONTRIB-2009-087
  • Project: FAQ Ask (third-party module)
  • Version: 6.x
  • Date: 2009 October 28
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple Vulnerabilities (XSS, CSRF, Open Redirect)

Description

The FAQ Ask module enables site users to ask questions for experts to answer.

The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF) and Cross Site Scripting problems (Cross Site Scripting). These vulnerabilities allow an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page, and gain access to unpublished content on a site.

Versions affected

  • FAQ Ask module for Drupal 6.x prior to 6.x-2.0 (including 6.x-1.x)
  • FAQ Ask module for Drupal 5.x

Drupal core is not affected. If you do not use the contributed FAQ Ask module, there is nothing you need to do.

Solution

Upgrade to the latest version or disable the module.

  • If you use FAQ Ask for Drupal 6.x upgrade to version 6.x-2.0
  • If you use FAQ Ask for Drupal 5.x it is no longer supported and you should disable it or upgrade your site to 6.x so you can use FAQ Ask 6.x-2.0.

Reported by

See also the FAQ Ask module project page.

Fixed by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.