SA-2008-073

Primary links

Advisory ID: DRUPAL-SA-2008-073
Project: Drupal core
Version: 5.x, 6.x
Date: 2008-December-10
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Cross site request forgery in update.php and cross site scripting when input formats are deleted.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

Drupal 4.7 is vulnerable to the same attack and should be patched. The affected function in filter.module did not change between version 4.7 and 5.x. In addition, a similar patch in update.php is sufficient to protect against CSRF. Note that this patch uses the function drupal_get_token() which is not present in older version of the 4.7 branch. In particular it is present in 4.7.7 but not in 4.7.2. If you need to patch older versions 4.7 you will need to backport further functionality from 4.7.7.

SA-2008-073-4.7.patch

Featured Project

Open Green Map

Open Green Map is an interactive, multilingual platform where users can post and add features to maps of localities all over the world. Openflows is incorporating open source and Google Maps technology with social networking and other interactive features to create an ecological map publishing platform with a community feel.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.