CVE-2009-3122

Vulnerability

The Ajax Table module for Drupal 5.x fails to perform access control checks on certain operations. This allows any remote user to delete arbitrary users and nodes via unspecified vectors. The module also contains a cross-site scripting (XSS) vulnerability due to insufficient escaping of user-supplied values [1].

Exploitation

An attacker can exploit the access bypass remotely without requiring authentication or any special privileges. By sending crafted requests to the module's endpoints, the attacker can trigger deletion of arbitrary users and nodes. The exact vectors are not detailed in the advisory, but the lack of access checks makes exploitation straightforward [1].

Impact

Successful exploitation allows an attacker to delete arbitrary users and nodes, leading to data loss and potential denial of service. Additionally, the XSS vulnerability could be leveraged to inject arbitrary HTML and script content, potentially leading to administrator access and further compromise [1].

Mitigation

No official fix is available for the Ajax Table module for Drupal 5.x. The advisory recommends disabling the module and removing it from the server entirely. Users should also consider upgrading to a supported Drupal version and using alternative modules that are actively maintained [1].