You are here

Drupad Cross site request forgery

Primary tabs

* Advisory ID: DRUPAL-SA-CONTRIB-2010-074
* Projects: Drupad (third-party module)
* Version: 6.x
* Date: 2010-07-14
* Security risks: Critical
* Exploitable from: Remote
* Vulnerability: CSRF


The Drupad module is the companion module of the iPhone / iPodTouch
application also called Drupad. The module doesn't check if the incoming
request is made from the application, leading to a CSRF vulneraby. This
vulnerability can be used to delete users and content, or set the site in
offline mode when a privileged user visits a malicious site.

* Drupad for Drupal 6.x versions prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed Drupad [1]
module, there is nothing you need to do.
-------- SOLUTION

Install the latest version:
* Upgrade to Drupad 6.x-1.1 [2]

See also the Drupad project page [3].
-------- REPORTED BY

* Heine Deelstra [4] of the Drupal security team

-------- FIXED BY

* Jérémy Chatard [5], module maintainer

Taxonomy upgrade extras: