• Advisory ID: SA-CONTRIB-2009-090
  • Project: User Protect (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-04
  • Security risk: Moderate
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery

Description

User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections.

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where he is authenticated. The link for deleting user protections and administrator bypasses does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of protections for users, or administrator bypass settings for user administrators.

Versions affected

  • User Protect for Drupal 5.x before User Protect 5.x-1.4
  • User Protect for Drupal 6.x before User Protect 6.x-1.3

Drupal core is not affected. If you do not use the contributed User Protect module, there is nothing you need to do.

Solution

Install the latest version:

Please note that update.php *must* be run as part of this upgrade in order for the issue to be fully fixed.

See also the User Protect project page.

Reported by

Chad Phillips and mr.baileys.

Fixed by

Chad Phillips.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.