September 17, 2009, 10:39 am
Multiple vulnerabilities and weaknesses were discovered in Drupal.
OpenID association cross site request forgeries
The OpenID module in Drupal 6 allows users to create an account or log into a Drupal site using one or more OpenID identities.
The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities can then be used to gain access to the affected accounts...