NVD Vulnerability Detail

CVE-2009-1576

Summary	Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.
Summary	Vulnerabilidad sin especificar en Drupal 5.x anterior a v5.17 y v6.x anterior a v6.11, usado en vbDrupal anterior a v5.17.0, permite a atacantes remotos asistidos por el usuario obtener información sensible engañando a las víctimas para que visiten la página de inicio a través de una URL manipulada y provocando que los datos de los formularios sean enviados a un sitio controlado por el atacante. Posiblemente relacionado con múltiples caracteres "/" (Slash) que no son manejados adecuadamente por includes/bootstrap.inc como ha sido demostrado usando el formulario de búsqueda. NOTA: esta vulnerabilidad puede ser aprovechada para llevar a cabo ataques de falsificación de petición en sitios cruzados (CSFR)
Publication Date	May 7, 2009, 2:30 a.m.
Registration Date	Jan. 29, 2021, 1:17 p.m.
Last Update	April 23, 2026, 9:35 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:drupal:drupal:5.0:beta1::::::
cpe:2.3:a:drupal:drupal:5.0:beta2::::::
cpe:2.3:a:drupal:drupal:5.0:rc1::::::
cpe:2.3:a:drupal:drupal:5.0:rc2::::::
cpe:2.3:a:drupal:drupal:5.1:::::::*
cpe:2.3:a:drupal:drupal:5.1_rev1.1:::::::*
cpe:2.3:a:drupal:drupal:5.10:::::::*
cpe:2.3:a:drupal:drupal:5.11:::::::*
cpe:2.3:a:drupal:drupal:5.12:::::::*
cpe:2.3:a:drupal:drupal:5.13:::::::*
cpe:2.3:a:drupal:drupal:5.14:::::::*
cpe:2.3:a:drupal:drupal:5.15:::::::*
cpe:2.3:a:drupal:drupal:5.16:::::::*
cpe:2.3:a:drupal:drupal:6.0:beta1::::::
cpe:2.3:a:drupal:drupal:6.0:beta2::::::
cpe:2.3:a:drupal:drupal:6.0:beta3::::::
cpe:2.3:a:drupal:drupal:6.0:beta4::::::
cpe:2.3:a:drupal:drupal:6.0:rc-1::::::
cpe:2.3:a:drupal:drupal:6.0:rc-2::::::
cpe:2.3:a:drupal:drupal:6.0:rc-3::::::
cpe:2.3:a:drupal:drupal:6.0:rc-4::::::
cpe:2.3:a:drupal:drupal:6.1:::::::*
cpe:2.3:a:drupal:drupal:6.2:::::::*
cpe:2.3:a:drupal:drupal:6.3:::::::*
cpe:2.3:a:drupal:drupal:6.4:::::::*
cpe:2.3:a:drupal:drupal:6.5:::::::*
cpe:2.3:a:drupal:drupal:6.6:::::::*
cpe:2.3:a:drupal:drupal:6.7:::::::*
cpe:2.3:a:drupal:drupal:6.8:::::::*
cpe:2.3:a:drupal:drupal:6.9:::::::*
cpe:2.3:a:drupal:drupal:6.10:::::::*

Related information, measures and tools

No	URL	refsource
1	http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch	cve@mitre.org
2	http://drupal.org/node/449078	cve@mitre.org
3	http://secunia.com/advisories/34948	cve@mitre.org
4	http://secunia.com/advisories/34950	cve@mitre.org
5	http://secunia.com/advisories/34980	cve@mitre.org
6	http://www.debian.org/security/2009/dsa-1792	cve@mitre.org
7	http://www.osvdb.org/54153	cve@mitre.org
8	http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953	cve@mitre.org
9	http://www.vupen.com/english/advisories/2009/1216	cve@mitre.org
10	https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html	cve@mitre.org
11	https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.html	cve@mitre.org
12	http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch	af854a3a-2127-422b-91ae-364da2661108
13	http://drupal.org/node/449078	af854a3a-2127-422b-91ae-364da2661108
14	http://secunia.com/advisories/34948	af854a3a-2127-422b-91ae-364da2661108
15	http://secunia.com/advisories/34950	af854a3a-2127-422b-91ae-364da2661108
16	http://secunia.com/advisories/34980	af854a3a-2127-422b-91ae-364da2661108
17	http://www.debian.org/security/2009/dsa-1792	af854a3a-2127-422b-91ae-364da2661108
18	http://www.osvdb.org/54153	af854a3a-2127-422b-91ae-364da2661108
19	http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953	af854a3a-2127-422b-91ae-364da2661108
20	http://www.vupen.com/english/advisories/2009/1216	af854a3a-2127-422b-91ae-364da2661108
21	https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html	af854a3a-2127-422b-91ae-364da2661108
22	https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.html	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

JVN Vulnerability Information

vbDrupal で使用される Drupal における重要な情報を取得される脆弱性

Title	vbDrupal で使用される Drupal における重要な情報を取得される脆弱性
Summary	vbDrupal で使用される Drupal には、重要な情報を取得される脆弱性が存在します。
Possible impacts	攻撃者により、ユーザを騙して、巧妙に作為された URL のフロントページを訪問させ、フォームデータを攻撃者が管理するサイトに送信させられることで、重要な情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 29, 2009, midnight
Registration Date	June 26, 2012, 4:10 p.m.
Last Update	June 26, 2012, 4:10 p.m.

Affected System

Drupal

Drupal 5.17 未満の 5.x および 6.11 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-1576	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1576
National Vulnerability Database (NVD)
2	CVE-2009-1576	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1576

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
Drupal
1	DRUPAL-SA-CORE-2009-005	http://drupal.org/node/449078

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:drupal:drupal:5.0:beta1::::::
cpe:2.3:a:drupal:drupal:5.0:beta2::::::
cpe:2.3:a:drupal:drupal:5.0:rc1::::::
cpe:2.3:a:drupal:drupal:5.0:rc2::::::
cpe:2.3:a:drupal:drupal:5.1:::::::*
cpe:2.3:a:drupal:drupal:5.1_rev1.1:::::::*
cpe:2.3:a:drupal:drupal:5.10:::::::*
cpe:2.3:a:drupal:drupal:5.11:::::::*
cpe:2.3:a:drupal:drupal:5.12:::::::*
cpe:2.3:a:drupal:drupal:5.13:::::::*
cpe:2.3:a:drupal:drupal:5.14:::::::*
cpe:2.3:a:drupal:drupal:5.15:::::::*
cpe:2.3:a:drupal:drupal:5.16:::::::*
cpe:2.3:a:drupal:drupal:6.0:beta1::::::
cpe:2.3:a:drupal:drupal:6.0:beta2::::::
cpe:2.3:a:drupal:drupal:6.0:beta3::::::
cpe:2.3:a:drupal:drupal:6.0:beta4::::::
cpe:2.3:a:drupal:drupal:6.0:rc-1::::::
cpe:2.3:a:drupal:drupal:6.0:rc-2::::::
cpe:2.3:a:drupal:drupal:6.0:rc-3::::::
cpe:2.3:a:drupal:drupal:6.0:rc-4::::::
cpe:2.3:a:drupal:drupal:6.1:::::::*
cpe:2.3:a:drupal:drupal:6.2:::::::*
cpe:2.3:a:drupal:drupal:6.3:::::::*
cpe:2.3:a:drupal:drupal:6.4:::::::*
cpe:2.3:a:drupal:drupal:6.5:::::::*
cpe:2.3:a:drupal:drupal:6.6:::::::*
cpe:2.3:a:drupal:drupal:6.7:::::::*
cpe:2.3:a:drupal:drupal:6.8:::::::*
cpe:2.3:a:drupal:drupal:6.9:::::::*
cpe:2.3:a:drupal:drupal:6.10:::::::*