[Security-news] SA-CONTRIB-2009-031 - Ajax Session - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed May 27 17:20:11 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-031
* Project: Ajax Session (third-party module)
* Version: 5.x
* Date: 2009 May 27
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Ajax session module allows users to set PHP session variables using AJAX.
The module does not make proper use of the Drupal API, leaving it open to
multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1])
and Cross Site Scripting (XSS [2]).
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ajax Session 5.x-1.0
Drupal core is not affected. If you do not use the contributed Ajax Session
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
There is no solution available. Disable the module and remove it from your
site. The module has been removed from Drupal.org.
-------- REPORTED BY
---------------------------------------------------------
* Reported by Dmitri Gaskin (dmitrig01 [3]).
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/user/47566
More information about the Security-news
mailing list