FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- cross site request forgery

Affected packages
drupal5 < 5.6
drupal4 < 4.7.11

Details

VuXML ID 4451a4c9-c05e-11dc-982e-001372fd0af2
Discovery 2008-01-10
Entry 2008-01-11
Modified 2010-05-12

The Drupal Project reports:

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

References

CVE Name CVE-2008-0272
URL http://drupal.org/node/208562
URL http://secunia.com/advisories/28422/