- Advisory ID: DRUPAL-SA-2008-070
- Project: Comment Mail
- Versions: 5.x
- Date: 2008-November-26
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
Description
The Comment Mail module allows an email to be sent to the site administrator(s) when new comments are posted. Links in the email allow for quick approval, editing, deletion of the comment and/or banning of the poster's IP address.
Unfortunately some links are vulnerable to cross site request forgeries (CSRF), making it possible for malicious users to force administrators (or any user with the "administer comments" permission) to unknowingly ban IP addresses and approve or delete any comment.
Versions Affected
- Comment Mail for Drupal 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the Comment Mail module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Comment Mail upgrade to Comment Mail 5.x-1.1.
Also see the Comment Mail project page.
Reported by
The module maintainer Maarten van Grootel (maartenvg)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
