=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN094
_____________________________________________________________________

DATE                      : 12/03/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Forward module for DRUPAL.

======================================================================
http://drupal.org/node/398564
______________________________________________________________________

SA-CONTRIB-2009-009 Forward module can be used as a spam relay
Drupal Security Team - March 11, 2009 - 16:17


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-009
  * Project: Forward
  * Versions: 5.x, 6.x
  * Date: 2009-March-11
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Unrestricted e-mailing (spam)

- -------- DESCRIPTION
- ---------------------------------------------------------

This vulnerability allows spammers or spambots to use sites with the forward
module installed to send nearly unlimited e-mail.

Due to improper use of Drupal's flood control API, it is possible for one
user to send an unlimited numbers of mails using the forward module.

*Important note*: the security team has received reports of this
vulnerability being actively exploited on production sites, and this advisory
should be considered urgent.

- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Drupal 5.x before version 5.x-1.19
  * Drupal 6.x development snapshots

Drupal core is not affected. If you do not use the contributed Forward
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version:

  * If you are running Drupal 5.x then upgrade to Forward 5.x-1.19 [1].
  * If you are running a Drupal 6.x development snapshot from prior to March
    11, 2009 then upgrade to 6.x-1.0 [2]

If you are unable to upgrade immediately, you should disable the Forward
module as a work-around.
- -------- REPORTED BY
- ---------------------------------------------------------

Helmut Debes

Dylan Wilder-Tack

Owen Barton

- -------- CONTACT
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/forward-5.x-1.19.tar.gz
[2] http://ftp.drupal.org/files/projects/forward-6.x-1.0.tar.gz

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================