* Advisory ID: DRUPAL-SA-CONTRIB-2010-042 * Project: LoginToboggan (third-party module) * Version: 5.x, 6.x * Date: 2010-05-12 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Session fixation
-------- DESCRIPTION ---------------------------------------------------------
The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation [1] attack. -------- VERSIONS AFFECTED ---------------------------------------------------
* LoginToboggan versions for the 5.x and 6.x versions of Drupal
Drupal core is not affected. If you do not use the contributed LoginToboggan module for Drupal 5.x or 6.x, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version of the module: * 5.x: LoginToboggan 5.x-1.7 [2] * 6.x: LoginToboggan 6.x-1.7 [3]
See also the LoginToboggan [4] project page. -------- REPORTED BY ---------------------------------------------------------
* Chad Phillips (hunmonk [5]), the module maintainer and member of the Drupal Security Team.
-------- FIXED BY ------------------------------------------------------------
* Chad Phillips (hunmonk [6]), the module maintainer and member of the Drupal Security Team.
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [7].
Read more about the Security Team and Security Advisories at http://drupal.org/security.
[1] http://en.wikipedia.org/wiki/Session_fixation [2] http://drupal.org/node/797154 [3] http://drupal.org/node/797158 [4] http://drupal.org/project/logintoboggan [5] http://drupal.org/user/22079 [6] http://drupal.org/user/22079 [7] http://drupal.org/contact