[Security-news] SA-CONTRIB-2009-069 - Shared Sign On - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Sep 30 21:16:47 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-069
* Project: Shared Sign On (third-party module)
* Version: 5.x, 6.x
* Date: 2009 September 30
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Shared Sign On module enables users to log into one Drupal site and be
automatically logged into multiple related Drupal sites. The module suffers
multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1])
and Session fixation problem (Session Fixation [2]). This problem allows an
attacker to hijack the account of a logged in user by tricking them into
visiting a seemingly innocent page.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of Shared Sign On for both Drupal 5.x and Drupal 6.x
Drupal core is not affected. If you do not use the contributed Shared Sign On
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
The Shared Sign On module is marked as un-supported. A separate project
called Single Sign On [3] has been created as a replacement. Download the
Single Sign On module and carefully read the README.txt as there is a risk of
breaking a site if instructions are not carried out correctly.
-------- REPORTED BY
---------------------------------------------------------
* Reported by Jose A. Reyero [4] and Steven Wittens [5].
-------- FIXED BY
------------------------------------------------------------
* Fixed by Steven Wittens [6] of Strutta Inc. and Jakub Suchy [7] of Drupal
Security team and Heine Deelstra [8] of Drupal Security Team.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://en.wikipedia.org/wiki/Session_fixation
[3] http://drupal.org/project/sso
[4] http://drupal.org/user/4299
[5] http://drupal.org/user/10
[6] http://drupal.org/user/10
[7] http://drupal.org/user/31977
[8] http://drupal.org/user/17943
More information about the Security-news
mailing list