• Advisory ID: DRUPAL-SA-CONTRIB-2010-042
  • Project: LoginToboggan (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-05-12
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Session fixation

Description

The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack.

Versions affected

  • LoginToboggan versions for the 5.x and 6.x versions of Drupal

Drupal core is not affected. If you do not use the contributed LoginToboggan module for Drupal 5.x or 6.x, there is nothing you need to do.

Solution

Install the latest version of the module:

See also the LoginToboggan project page.

Reported by

  • Chad Phillips (hunmonk), the module maintainer and member of the Drupal Security Team.

Fixed by

  • Chad Phillips (hunmonk), the module maintainer and member of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Read more about the Security Team and Security Advisories at http://drupal.org/security.