- Advisory ID: DRUPAL-SA-2008-068
- Project: Localization client and Localization server (third-party modules)
- Versions: 5.x, 6.x
- Date: 2008-October-22
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The server also provides an interface for the client to send in translation suggestions.
The client's local translation submission interface, approving and declining suggestions on the server and the client's remote submission to the server are implemented in ways, which are vulnerable to cross site request forgeries (CSRF). This may lead to unintended modifications of translated strings on the client, unintended rejection or approval of suggestions or unintended remote suggestion submissions on the sever, when a sufficiently privileged user visits a page or site created by a malicious person.
- Versions of Localization client for Drupal 5.x prior to 5.x-1.1 and for Drupal 6.x prior to 6.x-1.6
- Versions of Localization server for Drupal 5.x prior to 5.x-1.0-alpha5 and for Drupal 6.x prior to 6.x-alpha2
Drupal core is not affected. If you do not use the Localization client or Localization server modules, there is nothing you need to do.
Install the latest version.
- If you use Localization client upgrade to Localization client 5.x-1.1 or Localization client 6.x-1.6 respectively.
- If you use Localization server upgrade to Localization server 5.x-1.0-alpha5 or Localization server 6.x-1.0-alpha2 respectively.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.