- Advisory ID: DRUPAL-SA-CONTRIB-2009-045
- Project: Moderation (third-party module)
- Version: 5.x, 6.x
- Date: 2009-07-22
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site Request Forgery
Description
The Moderation module uses Ajax to provide a dynamic moderation queue for nodes and comments. The module is vulnerable to cross-site request forgeries (CSRF) via the AJAX hooks used to toggle the moderation bit. It allows a non-administrative user to trick an admin into publishing arbitrary moderated content by directing them to the url via link or image src, etc.
Versions affected
- Moderation versions 5.x-1.x prior to 5.x-1.2
- Moderation versions 6.x-1.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Moderation module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Moderation versions for Drupal 5.x upgrade to Moderation version 5.x-1.2
- If you use Moderation versions for Drupal 6.x upgrade to Moderation version 6.x-1.3
See also the Moderation project page.
Reported by
Ben Ford.
Fixed by
Stefan Auditor, the Moderation project maintainer, with assistance from Ben Jeavons of the Drupal Security Team
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.