[Security-news] SA-CONTRIB-2010-042: LoginToboggan - Session fixation

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-042
  * Project: LoginToboggan (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-05-12
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Session fixation

-------- DESCRIPTION  
---------------------------------------------------------

The LoginToboggan module provides a customized log in workflow. Attackers may
be able to exploit the workflow to initiate a session fixation [1] attack.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * LoginToboggan versions for the 5.x and 6.x versions of Drupal

Drupal core is not affected. If you do not use the contributed LoginToboggan
module for Drupal 5.x or 6.x, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version of the module:
  * 5.x: LoginToboggan 5.x-1.7 [2]
  * 6.x: LoginToboggan 6.x-1.7 [3]

See also the LoginToboggan [4] project page.
-------- REPORTED BY  
---------------------------------------------------------

  * Chad Phillips (hunmonk [5]), the module maintainer and member of the
    Drupal Security Team.

-------- FIXED BY  
------------------------------------------------------------

  * Chad Phillips (hunmonk [6]), the module maintainer and member of the
    Drupal Security Team.

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [7].

Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://en.wikipedia.org/wiki/Session_fixation
[2] http://drupal.org/node/797154
[3] http://drupal.org/node/797158
[4] http://drupal.org/project/logintoboggan
[5] http://drupal.org/user/22079
[6] http://drupal.org/user/22079
[7] http://drupal.org/contact