Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6752 to
the following vulnerability:
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in
Drupal 7.12 and earlier allows remote attackers to hijack the
authentication of arbitrary users for requests that end a session via
the user/logout URI. NOTE: the vendor disputes the significance of
this issue, by considering the "security benefit against platform
complexity and performance impact" and concluding that a change to the
NOTE: I was able to reproduce this on drupal6 as well.
Also forgot to note that there is currently no upstream fix for this as of yet, so I'm not filing Fedora or EPEL trackers for it.
Eek. What a tempest. It looks like neither the exploit nor the patch attempts are meeting with much success so far. I'll keep an eye on this.
I believe the analysis of this report could be applied, for example, to Bugzilla and find it has similar flaws. Bugzilla uses an input type="hidden" name="token" value="long-hash" to provide csrf protection, no? And if someone could sniff that value via mitm or client-side sniffing, does bugzilla have protection such as referrer detection?
The CSRF logout "vulnerability" seems to exist as well. Consider this attack <img src="https://bugzilla.redhat.com/index.cgi?logout=1">
I welcome your analysis and the Drupal project is open to constructive criticism, but I believe most web applications are vulnerable to these issues. That's why we suggest fixes that are at different layers in the stack (e.g. https).
For sites built in Drupal that need extra protection (e.g. for the logout issue) there is a contributed module at http://drupal.org/sandbox/davereid/1332490 which uses our standard token system.
Sites that want to add referrer detection to some or all form actions could do so via the Form API, though I'm not aware of such a module in existence.
Greg, to exploit this vulnerability (force administrator/user's logout) you don't need to sniff anti-CSRF token. You have only to create a web page containing a simple POST (or GET, as Drupal don't care about it) http request , as explained in my Original Advisory (http://www.webapp-security.com/wp-content/uploads/2012/03/Drupal-7.12-latest-stable-release-Multiple-Vulnerabilities.txt).
As I've already explained in Drupal's Group (http://groups.drupal.org/node/216314)
only to add Drupal Administrator you have to sniff anti-CSRF token due to a "problem" related to token's logic generation. MITRE CVE Numbering Authority classified my recommendations about token generation as Drupal's "security improvements".