Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075
  • Date: Wed, 6 Nov 2019 17:22:26 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-075

Project: Open Social [1]
Date: 2019-November-06
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Session Management

Description: 
Open Social is a Drupal distribution for online communities. The included
social_magic_login module doesn't sufficiently validate magic login URLs for
user accounts that do not have a local password, but login via external
systems. The lack of validation makes it possible for an adversary to forge
valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login
needs to be enabled.

Solution: 
Install the latest version:

* If you use the Open Social distribution for Drupal 8.x-7.x, upgrade to
open social 8.x-7.1 [3]
* If you use the Open Social distribution for Drupal 8.x-6.x, upgrade to
open social 8.x-6.5 [4]

Alternatively, disable the module social_magic_login.

Also see the Open Social [5] project page.

Reported By: 
* Heine [6] of the Drupal Security Team

Fixed By: 
* Heine [7] of the Drupal Security Team
* Alexander Varwijk [8]
* Ronald te Brake [9]
* Drew Webber [10] of the Drupal Security Team

Coordinated By: 
* Heine [11] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/8.x-7.1
[4] https://www.drupal.org/project/social/releases/8.x-6.5
[5] https://www.drupal.org/project/social
[6] https://www.drupal.org/user/17943
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/1868952
[9] https://www.drupal.org/user/2314038
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/17943

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075, security-news, 06.11.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang