CVE-2009-1576
Published: 6 May 2009
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.
Notes
| Author | Note |
|---|---|
| mdeslaur | SA-CORE-2009-005 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
drupal5 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(5.7-1ubuntu1.2)
|
|
| intrepid |
Released
(5.10-1ubuntu1.1)
|
|
| jaunty |
Released
(5.15-1ubuntu1.1)
|
|
| karmic |
Not vulnerable
(5.18-1ubuntu1)
|
|
| upstream |
Released
(5.17)
|
|
|
drupal6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Released
(6.10-1ubuntu0.1)
|
|
| karmic |
Not vulnerable
|
|
| upstream |
Released
(6.11)
|