Bug 786856 - (CVE-2012-0826) CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120201,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-02 10:26 EST by Jan Lieskovsky
Modified: 2012-03-13 21:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-13 21:24:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-02-02 10:26:15 EST
A Cross Site Request Forgery (CSRF) flaw was found in the way the Aggregator module of Drupal, the content management system, performed retrieval of syndicated content from other websites. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting Drupal user could lead to the Aggregator module to attempt to in unlimited way obtain feeds from remote websites, which in case the remote site enforced an upper bound / limit for count of feeds, which could be obtained during certain time interval, could lead to denial of service for the victim.

References:
[1] http://drupal.org/node/1425084
Comment 1 Jan Lieskovsky 2012-02-02 10:34:48 EST
This issue is scheduled to be corrected in the following drupal6 package
updates:
1) drupal6-6.24-1.el6  for Fedora EPEL 6,
2) drupal6-6.24-1.el5  for Fedora EPEL 5,
3) drupal6-6.24-1.fc15  for Fedora 15, 
4) drupal6-6.24-1.fc16  for Fedora 16.
Comment 2 Jan Lieskovsky 2012-02-02 10:40:30 EST
This issue is scheduled to be corrected in the following drupal7 package updates:
1) drupal7-7.12-1.el6 for Fedora EPEL 6,
2) drupal7-7.12-1.el5 for Fedora EPEL 5,
3, drupal7-7.12-1.fc16 	for Fedora 16,
4) drupal7-7.12-1.fc15 	for Fedora 15.
Comment 3 Paul W. Frields 2012-03-13 21:24:53 EDT
These packages have been released for all Fedora and EPEL branches.

Note You need to log in before you can comment on or make changes to this bug.