Hi there,
We have been moving an old university site to Drupal and have got to the point where we are having our security scans. The university security team use HP WebInspect for this and we have fought down numerous errors but there are two critical ones that we can't seem to figure out and it seems they may be somehow related to the Secure Login module.
I was hoping that someone could help us out as these are the last two errors between us and going live. I have attached the part of the report that refers to these two errors. Hopefully this is either something that is so minor we can explain it away or something that is a fairly easy fix.
Thanks in advance for any help you can offer.
Cheers
Hal
| Comment | File | Size | Author |
|---|---|---|---|
| Critical_Issues.pdf | 57 KB | rpgmp3 |
Comments
Comment #1
mfbThanks for reporting this. Please try out the latest version from CVS and let me know if it resolved the problem for you: http://drupal.org/cvs?commit=473568
Note I had already removed this functionality from the Drupal 7 branch so it shouldn't need fixing there.
For future reference, best practice is to report security vulnerabilities privately to the module maintainer and/or Drupal security team so the vulnerability will not be made public until a fix is available...
Comment #2
heine commentedIssues in modules without a supported release should be fixed in public.
Comment #3
mfbAh, didn't realize there were no releases. That makes it easier for me.. I don't have to actually release a security fix :)
I also backported this to the d5 branch.
Comment #4
mfbThis still could use review, as I don't use the securelogin_redirect setting that allowed this vulnerability. Setting to fixed, please re-open if there's still an issue here.