* Advisory ID: DRUPAL-SA-CONTRIB-2009-031 * Project: Ajax Session (third-party module) * Version: 5.x * Date: 2009 May 27 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The Ajax session module allows users to set PHP session variables using AJAX. The module does not make proper use of the Drupal API, leaving it open to multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]) and Cross Site Scripting (XSS [2]). -------- VERSIONS AFFECTED ---------------------------------------------------
* Ajax Session 5.x-1.0
Drupal core is not affected. If you do not use the contributed Ajax Session module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
There is no solution available. Disable the module and remove it from your site. The module has been removed from Drupal.org. -------- REPORTED BY ---------------------------------------------------------
* Reported by Dmitri Gaskin (dmitrig01 [3]).
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/user/47566