- Advisory ID: DRUPAL-SA-CONTRIB-2011-011
- Project: Secure Pages (third-party module)
- Version: 6.x
- Date: 2011-March-02
- Security risk: Less Critical (definition of risk levels)
- Exploitable from: Remote
- Vulnerability: Open Redirection
Description
The Secure Pages module allows administrators to choose certain URLs that must be delivered over HTTPS.
An open redirection bug allows an attacker to formulate a URL in a way that redirects the user to an arbitrarily provided URL.
Versions affected
- Secure Pages module for Drupal 6.x versions prior to 6.x-1.9
Drupal core is not affected. If you do not use the contributed Secure Pages module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Secure Pages module for Drupal 6.x upgrade to Secure Pages 6.x-1.9
See also the Secure Pages project page.
Reported by
Fixed by
- Gordon Heydon, module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.