Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content.
Drupal FAQ Ask module versions 5.x and 6.x prior to 6.x-2.0 are vulnerable to Cross-Site Request Forgery (CSRF). This allows attackers to hijack user sessions and potentially access unpublished content, leading to unauthorized data access and potential compromise of the Drupal website. Exploitation requires tricking a logged-in user into clicking a malicious link or visiting a compromised website.
Step 1: Victim Logged In: A legitimate user is logged into a Drupal website using the vulnerable FAQ Ask module.
Step 2: Attacker Crafting: The attacker crafts a malicious URL or HTML form that, when submitted, will trigger the vulnerable functionality in the FAQ Ask module. This crafted payload is designed to access unpublished content.
Step 3: Payload Delivery: The attacker delivers the malicious payload to the victim. This can be done through various means, such as phishing emails, malicious advertisements, or compromised websites.
Step 4: Victim Interaction: The victim, unaware of the malicious intent, either clicks on the link or is tricked into submitting the form (e.g., by visiting a compromised website that automatically submits the form).
Step 5: Request Execution: The victim's browser sends the crafted request to the Drupal website, including the victim's session cookies. Because the FAQ Ask module lacks CSRF protection, the request is processed as if it originated from the user.
Step 6: Unauthorized Access: The attacker gains access to unpublished content, potentially including sensitive information or administrative functions, depending on the nature of the unpublished content and the user's privileges.
The vulnerability stems from a lack of CSRF protection in the FAQ Ask module. Specifically, the module fails to validate a CSRF token when handling requests related to accessing unpublished content. This allows an attacker to craft a malicious request that, when executed by a logged-in user, performs actions on the user's behalf without their knowledge or consent. The root cause is the absence of proper input validation and state management to prevent unauthorized access to unpublished content through forged requests. The module's logic doesn't adequately verify the origin of the request, allowing attackers to bypass authentication and authorization checks.