=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN491
_____________________________________________________________________

DATE                      : 06/12/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Feature versions 4.7.x, 5.x.

======================================================================
http://drupal.org/node/198164
______________________________________________________________________

SA-2007-033 - Feature - CSRF
Security announcements
Heine - December 5, 2007 - 20:39

     * Advisory ID: DRUPAL-SA-2007-033
     * Project: Feature module (third-party module)
     * Version: 4.7.x, 5.x
     * Date: 2007-December-05
     * Security risk: Not critical
     * Exploitable from: Remote
     * Vulnerability: Cross site request forgery

Description

Feature is a contributed module that lets you organize and maintain a
feature list by category.

The Drupal Forms API protects against cross site request forgeries
(CSRF), where a malicous site can cause a user to unintentionally submit
a form to a site where he is authenticated. The feature deletion form
does not follow the standard Forms API submission model and is therefore
not protected against this type of attack. A CSRF attack may result in
the deletion of features.

To learn more about Cross Site Request Forgeries please read this
article.

Versions affected

     * Feature 4.7.x-dev before December 6, 2007.
     * Feature 5.x-dev before December 6, 2007.

Solution

Install the latest version:

     * If you use Drupal 4.7.x upgrade to Feature 4.7.x-1.0
     * If you use Drupal 5.x upgrade to Feature 5.x-1.0

Reported by

Stéphane Corlosquet (scor)

Contact

The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================