- Advisory ID: DRUPAL-SA-CONTRIB-2010-110
- Project: Drupal For Firebug (third-party module)
- Version: 5.x, 6.x
- Date: 2010-Dec-15
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross-site Request Forgery
Description
The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation.
The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into executing arbitrary PHP code.
Versions affected
- Drupal For Firebug 5.x versions prior to 5.x-1.5
- Drupal For Firebug 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Drupal For Firebug module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5
- If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4
See also the Drupal For Firebug project page.
Reported by
- mr.baileys of the Drupal security team
Fixed by
- Matt Cheney (populist), module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.