• Advisory ID: DRUPAL-SA-CONTRIB-2009-015
  • Project: Token authentication (third-party module)
  • Version: 6.x
  • Date: 2009-March-25
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

The Token authentication module allows access to RSS feeds via a token without having to provide your username and password to the site. Token authentication did not properly use the Drupal Form API which would allow a malicious user to learn the site administrator's token giving them the ability to read any nodes on the site via an RSS feed.

Versions affected

  • Token authentication 6.x-1.x prior to 6.x-1.1

Token authentication for Drupal 5.x is not affected by this vulnerability.

Drupal core is not affected. If you do not use the contributed Token authentication module, there is nothing you need to do.

Solution

Upgrade to the latest version:

See also the Token authentication project page.

Reported by

Stéphane Corlosquet of the Drupal Security Team.

Fixed by

Stéphane Corlosquet of the Drupal Security Team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.