Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 298050

CSRF in update module manual check links

$
0
0

Problem/Motivation

This has been publicly disclosed, hence we are fixing in public instead of in the private security team tracker.

reported by Fernando_Arnaboldi

An attacker may force an admin to check for updates due to a cross site request forgery vulnerability on the update functionality
- Drupal 6: affected
http://mysite/?q=admin/reports/updates/check
- Drupal 7: affected
?q=admin/reports/updates/check
?q=admin/reports/updates

Proposed resolution

Add CSRF token protection to those menu routes

Remaining tasks

write patch

User interface changes

n/a

API changes

n/a

Data model changes

n/a


Viewing all articles
Browse latest Browse all 298050

Trending Articles