* Advisory ID: SA-CONTRIB-2011-005 * Project: AES (third-party module) * Version: 7.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Information Disclosure

-------- DESCRIPTION ---------------------------------------------------------

Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account. -------- VERSIONS AFFECTED ---------------------------------------------------

* AES module for Drupal 7.x-1.4

Drupal core is not affected. If you do not use the contributed AES [1] module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Install the latest version: * If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5 [2]

See also the AES project page. [3] -------- REPORTED BY ---------------------------------------------------------

* Shawn Smiley [4]

-------- FIXED BY ------------------------------------------------------------

* Johan Lindskog [5], module maintainer

-------- CONTACT AND MORE INFORMATION ----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. Learn more about the team and their policies [7], writing secure code for Drupal [8], and secure configuration [9] of your site.

[1] http://drupal.org/project/aes [2] http://drupal.org/node/1040728 [3] http://drupal.org/project/aes [4] http://drupal.org/user/317704 [5] http://drupal.org/user/123038 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration