[IT-SecNots] [Security-news] Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-011

Project: Open Social [1]
Date: 2021-June-02
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Authentication Bypass

Description: 
Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic
login URLs for user accounts. The lack of validation makes it possible for an
adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login
needs to be enabled.

Solution: 
Install the latest version of Open Social:

  * If you use the Open Social distribution for Drupal 10.0.x, upgrade to 
Open
    Social 10.0.13 [3]
  * If you use the Open Social distribution for Drupal 10.1.x, upgrade to 
Open
    social 10.1.6 [4]

Alternatively, disable the module social_magic_login.

Reported By: 
  * Ronald te Brake [5]
  * Alexander Varwijk [6]
  * Robert Ragas [7]

Fixed By: 
  * Ronald te Brake [8]
  * Alexander Varwijk [9]
  * Robert Ragas [10]

Coordinated By: 
  * Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/10.0.13
[4] https://www.drupal.org/project/social/releases/10.1.6
[5] https://www.drupal.org/user/2314038
[6] https://www.drupal.org/user/1868952
[7] https://www.drupal.org/user/2723261
[8] https://www.drupal.org/user/2314038
[9] https://www.drupal.org/user/1868952
[10] https://www.drupal.org/user/2723261
[11] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news