Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072
  • Date: Wed, 31 Oct 2018 18:14:08 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2018-072

Project: Session Limit [1]
Version: 7.x-2.28.x-1.0-beta2
Date: 2018-October-31
Security risk: *Critical* 15∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Insecure Session Management

Description: 
The session limit module enables a site administrator to set a policy around
the number of active sessions users of the site may have. This is typically
set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session
elsewhere already active, the module asks the user which session should be
closed before they can proceed with login. The module does not sufficiently
tokenise the list of sessions so that the user's session keys can be found
through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be
able to intercept the contents of the HTML page to exploit the issue. That
ability to intercept may come from Cross Site Scripting. This makes a Cross
Site Scripting vulnerability worse than it would normally be.

Solution: 
Install the latest version:

* If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3 [3]
* If you use the Session Limit module for Drupal 8.x, upgrade to
8.x-1.0-beta3 [4]

Also see the Session Limit [5] project page.

Reported By: 
* Simon Kapadia [6]

Fixed By: 
* John Ennew [7]

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/session_limit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/session_limit/releases/7.x-2.3
[4] https://www.drupal.org/project/session_limit/releases/8.x-1.0-beta3
[5] https://www.drupal.org/project/session_limit
[6] https://www.drupal.org/user/3524044
[7] https://www.drupal.org/user/1150042
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072, security-news, 31.10.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang