- Advisory ID: DRUPAL-SA-CONTRIB-2011-005
- Project: AES (third-party module)
- Version: 7.x
- Date: 2011-February-02
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account.
- AES module for Drupal 7.x-1.4
Drupal core is not affected. If you do not use the contributed AES module there is nothing you need to do.
Install the latest version:
- If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5
See also the AES project page.
- Johan Lindskog, module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.