• Advisory ID: DRUPAL-SA-CONTRIB-2009-069
  • Project: Shared Sign On (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009 September 30
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

The Shared Sign On module enables users to log into one Drupal site and be automatically logged into multiple related Drupal sites.

The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF) and Session fixation problem (Session Fixation). This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page.

Versions affected

  • Versions of Shared Sign On for both Drupal 5.x and Drupal 6.x

Drupal core is not affected. If you do not use the contributed Shared Sign On module, there is nothing you need to do.

Solution

The Shared Sign On module is marked as un-supported. A separate project called Single Sign On has been created as a replacement. Download the Single Sign On module and carefully read the README.txt as there is a risk of breaking a site if instructions are not carried out correctly.

Reported by

Fixed by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.