=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN546
_____________________________________________________________________

DATE                      : 16/12/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running
                             Drupal For Firebug 5.x versions prior to 5.x-1.5,
                             Drupal For Firebug 6.x versions prior to 6.x-1.4.

======================================================================
http://drupal.org/node/999282
______________________________________________________________________


SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery
Posted by Drupal Security Team on December 15, 2010 at 7:08pm

    * Advisory ID: DRUPAL-SA-CONTRIB-2010-110
    * Project: Drupal For Firebug (third-party module)
    * Version: 5.x, 6.x
    * Date: 2010-Dec-15
    * Security risk: Critical
    * Exploitable from: Remote
    * Vulnerability: Cross-site Request Forgery

Description

The Drupal For Firebug module allows developers to use
Firebug to get debugging information about their Drupal
installation.

The module does not properly protect the form used to submit
PHP code against Cross-site Request Forgeries (CSRF),
allowing a malicious user to trick an authorized user into
executing arbitrary PHP code.

Versions affected

    * Drupal For Firebug 5.x versions prior to 5.x-1.5
    * Drupal For Firebug 6.x versions prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed
Drupal For Firebug module, there is nothing you need to do.

Solution

Install the latest version:

    * If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5
    * If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4

See also the Drupal For Firebug project page.

Reported by

    * mr.baileys of the Drupal security team

Fixed by

    * Matt Cheney (populist), module maintainer

Contact

The Drupal security team can be reached at security at drupal.org or via
the form at http://drupal.org/contact.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================