Drupal Security Team response to bogus 7.12 CSRF issuesPosted: 9 March 2012 Filed under: drupal | Tags: drupal, security, web application security Leave a comment
“The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a ‘Man In the Middle’ attack or sniffing software, which is outside of Drupal and presents a much bigger problem.
The Drupal Security team provides an easy way to report issues by sending emails to firstname.lastname@example.org, and we will credit researchers with all issues they report in this manner. No formal report of this issue was filed directly with our team. We encourage all researchers to follow the practice of responsible disclosure, and report directly to our team to ensure both that we can provide public credit for authentic vulnerabilities, and keep our users as secure as possible.”