[Security-news] SA-CONTRIB-2011-048 - Certificate Login SQL Injection

security-news at drupal.org security-news at drupal.org
Wed Oct 12 19:39:02 UTC 2011


  * Advisory ID: DRUPAL-SA-CONTRIB-2011-048
  * Project: Certificate Login [1] (third-party module)
  * Version: 5.x, 6.x
  * Date: 2011-October-12
  * Security risk: Critical [2]
  * Exploitable from: Remote
  * Vulnerability: SQL Injection

-------- DESCRIPTION  
---------------------------------------------------------

The Certificate login module provides client certificate authentication of
Drupal users. The authentication is based on the client certificate's data
fields, which are then used as the user name for authentication. The obtained
data isn't properly sanitized using Drupal's database API, which may cause an
SQL injection vulnerability depending on the module settings.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Certificate Login versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Certificate
Login [3] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Certificate Login module for Drupal 6.x, upgrade to
    Certificate Login 6.x-2.3 [4].

Note: all Drupal 5.x modules are not supported, including the Certificate
Login module for 5.x. If you use Drupal 5.x you should upgrade now.

See also the Certificate Login [5] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Jyri-Petteri ”ZeiP” Paloposki [6]

-------- FIXED BY  
------------------------------------------------------------

  * Jyri-Petteri ”ZeiP” Paloposki [7], a module maintainer

-------- COORDINATED BY  
------------------------------------------------------

  * Greg Knaddison [8] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].


[1] http://drupal.org/project/certificatelogin
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/certificatelogin
[4] https://drupal.org/node/1306488
[5] http://drupal.org/project/certificatelogin
[6] http://drupal.org/user/201465
[7] http://drupal.org/user/201465
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration



More information about the Security-news mailing list