Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2006-030.
- Project: Chatroom (third-party module).
- Date: 2006-Dec-11.
- Security risk: Highly critical.
- Exploitable from: Remote.
- Vulnerability: Security bypass.
Description
The contributed module Chatroom broadcasts session ids of chatroom visitors to all participants in a room. Using those IDs, an attacker is able to hijack the session of those participants and gain their privileges on the site.
Additionally, messages supposed to be private are displayed in the last messages overview of a chatroom.
Versions affected
All prerelease versions of Chatroom.
Drupal core is not affected. If you do not use the contributed chatroom module, there is nothing you need to do.
Solution
Install the latest version:
See also the Chatroom project page.
Reported by
Eirik Hodne.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
