SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2341

This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery (CSRF) attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal’s “files” directory are open to manipulation.

Versions affected

• Take Control 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Take Control module for Drupal 6.x, upgrade to Take Control 6.x-2.2

Also see the Take Control project page.

Reported by

• Carl Wiedemann

Fixed by

• Rahul Singla the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team