Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-042: LoginToboggan - Session fixation

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-042: LoginToboggan - Session fixation


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-042: LoginToboggan - Session fixation
  • Date: Wed, 12 May 2010 17:54:47 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-042
* Project: LoginToboggan (third-party module)
* Version: 5.x, 6.x
* Date: 2010-05-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Session fixation

-------- DESCRIPTION
---------------------------------------------------------

The LoginToboggan module provides a customized log in workflow. Attackers may
be able to exploit the workflow to initiate a session fixation [1] attack.
-------- VERSIONS AFFECTED
---------------------------------------------------

* LoginToboggan versions for the 5.x and 6.x versions of Drupal

Drupal core is not affected. If you do not use the contributed LoginToboggan
module for Drupal 5.x or 6.x, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version of the module:
* 5.x: LoginToboggan 5.x-1.7 [2]
* 6.x: LoginToboggan 6.x-1.7 [3]

See also the LoginToboggan [4] project page.
-------- REPORTED BY
---------------------------------------------------------

* Chad Phillips (hunmonk [5]), the module maintainer and member of the
Drupal Security Team.

-------- FIXED BY
------------------------------------------------------------

* Chad Phillips (hunmonk [6]), the module maintainer and member of the
Drupal Security Team.

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [7].

Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://en.wikipedia.org/wiki/Session_fixation
[2] http://drupal.org/node/797154
[3] http://drupal.org/node/797158
[4] http://drupal.org/project/logintoboggan
[5] http://drupal.org/user/22079
[6] http://drupal.org/user/22079
[7] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-042: LoginToboggan - Session fixation, security-news, 12.05.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang