Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-026
- Project: LoginToboggan (third-party module)
- Version: 6.x
- Date: 2009-May-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled.
Versions affected
- LoginToboggan 6.x-1.x prior to 6.x-1.5
LoginToboggan for Drupal 5.x is not affected by this vulnerability.
Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use LoginToboggan 6.x-1.x upgrade to LoginToboggan 6.x-1.5
As a temporary workaround, you may also disable the 'Allow users to login using their e-mail address' setting at Administer -> User management -> LoginToboggan.
See also the LoginToboggan project page.
Reported by
Chad Phillips of the Drupal Security Team.
Fixed by
Chad Phillips of the Drupal Security Team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
