full disclosure

greggles's picture

Detailed response to publicly posted CSRF concerns in Drupal 7.12

Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.

Summary

The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.

Read more
Subscribe with RSS Syndicate content