- Advisory ID: DRUPAL-SA-CONTRIB-2011-005
- Project: AES (third-party module)
- Version: 7.x
- Date: 2011-February-02
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Description
Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account.
Versions affected
- AES module for Drupal 7.x-1.4
Drupal core is not affected. If you do not use the contributed AES module there is nothing you need to do.
Solution
Install the latest version:
- If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5
See also the AES project page.
Reported by
Fixed by
- Johan Lindskog, module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.