Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-029
- Project: Keys (third-party module)
- Version: 6.x
- Date: 2010-March-17
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross-site Request Forgery
Description
The Keys module provides management of various API keys. The module is vulnerable to cross-site request forgeries (CSRF) via the keys delete form. This would allow a malicious user to trick an admin with the "administer keys" permission into deleting keys by directing them to the url via link or image src, etc.
Versions affected
- Keys for Drupal 6.x prior to Keys 6.x-2.0
Drupal core is not affected. If you do not use the contributed Keys module for Drupal 6.x, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Keys for Drupal 6.x upgrade to Keys 6.x-2.0 or simply disable the Keys module. Be sure to backup saved keys prior to upgrade.
See also the Keys project page.
Reported by
Fixed by
James Jeffery, Keys module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
