• Advisory ID: DRUPAL-SA-CONTRIB-2011-005
  • Project: AES (third-party module)
  • Version: 7.x
  • Date: 2011-February-02
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

Description

Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account.

Versions affected

  • AES module for Drupal 7.x-1.4

Drupal core is not affected. If you do not use the contributed AES module there is nothing you need to do.

Solution

Install the latest version:

  • If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5

See also the AES project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.