Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-035
- Project: Smileys (third-party module)
- Versions: 5.x
- Date: 2010-April-07
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross-site Request Forgery
Description
The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remove smileys from the site.
Versions affected
- Smileys module for Drupal 5.x version prior to 5.x-1.2.
Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.
Drupal core is not affected. If you do not use the contributed Smileys module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys 5.x-1.2
See also the Smileys project page.
Reported by
Fixed by
- Gurpartap Singh, the module maintainer
- mr.baileys of the Drupal security team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
