- Advisory ID: DRUPAL-SA-2008-011
- Project: Secure Site (third-party module)
- Version: 5.x-1.0, 4.7.x-1.0
- Date: 2008-January-30
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Secure Site module provides functions for placing your site behind HTTP based authentication.
The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user.
Versions affected
- Secure Site for Drupal 5.x and 4.7.x.
Drupal core is not affected. If you do not use the contributed Secure Site module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x upgrade to Secure Site 5.x-1.1.
- If you use Drupal 4.7.x upgrade to Secure Site 4.7.x-1.1.
See also the Secure Site project page.
Since the IP-authentication feature proved to be beyond fixing it was removed from the new releases.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.