- Advisory ID: DRUPAL-SA-CONTRIB-2010-074
- Projects: Drupad (third-party module)
- Version: 6.x
- Date: 2010-07-14
- Security risks: Critical
- Exploitable from: Remote
- Vulnerability: CSRF
Description
The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad.
The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mode when a privileged user visits a malicious site.
Versions affected
- Drupad for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Drupad module, there is nothing you need to do.
Solution
Install the latest version:
- Upgrade to Drupad 6.x-1.1
See also the Drupad project page.
Reported by
- Heine Deelstra of the Drupal security team
Fixed by
- Jérémy Chatard, module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.