CVE-2007-6752
Drupal < 7.12 - Cross-Site Request Forgery via User Logout URI
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2007-6752. PoCs published by Ivano Binetti.
AI-analyzed exploit summary This exploit demonstrates CSRF vulnerabilities in Drupal CMS 7.12, allowing an attacker to add an administrator account or force logout of an administrator by tricking them into visiting a crafted webpage. The exploit leverages poor session checking and lack of HTTP referer validation.
Description
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.
Exploits (1)
This exploit demonstrates CSRF vulnerabilities in Drupal CMS 7.12, allowing an attacker to add an administrator account or force logout of an administrator by tricking them into visiting a crafted webpage. The exploit leverages poor session checking and lack of HTTP referer validation.