[Security-news] Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

security-news at drupal.org security-news at drupal.org
Wed Oct 31 18:14:08 UTC 2018


View online: https://www.drupal.org/sa-contrib-2018-072

Project: Session Limit [1]
Version: 7.x-2.28.x-1.0-beta2
Date: 2018-October-31
Security risk: *Critical* 15∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Insecure Session Management

Description: 
The session limit module enables a site administrator to set a policy around
the number of active sessions users of the site may have. This is typically
set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session
elsewhere already active, the module asks the user which session should be
closed before they can proceed with login. The module does not sufficiently
tokenise the list of sessions so that the user's session keys can be found
through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be
able to intercept the contents of the HTML page to exploit the issue. That
ability to intercept may come from Cross Site Scripting.  This makes a Cross
Site Scripting vulnerability worse than it would normally be.

Solution: 
Install the latest version:

   * If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3 
[3]
   * If you use the Session Limit module for Drupal 8.x, upgrade to
     8.x-1.0-beta3 [4]

Also see the Session Limit [5] project page.

Reported By: 
   * Simon Kapadia  [6]

Fixed By: 
   * John Ennew  [7]

Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/session_limit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/session_limit/releases/7.x-2.3
[4] https://www.drupal.org/project/session_limit/releases/8.x-1.0-beta3
[5] https://www.drupal.org/project/session_limit
[6] https://www.drupal.org/user/3524044
[7] https://www.drupal.org/user/1150042
[8] https://www.drupal.org/u/greggles



More information about the Security-news mailing list