Description
The AdSense Click Tracking sub-module tracks clicks on AdSense ad units by logging each click request to the database. The click tracking endpoint is publicly accessible to all users, including anonymous visitors.
The module did not implement any rate limiting or flood protection on this endpoint. An unauthenticated attacker could send an unlimited number of requests to fill the click log table with fabricated records and degrade database performance.
This vulnerability is mitigated by the fact that adsense_click is an opt-in sub-module that must be explicitly enabled, and click tracking must be turned on via the admin settings.
Solution
Install the latest version.
If you use the Google AdSense integration module for Drupal 7, upgrade to adsense 7.x-1.15:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES