Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-004
- Project: Secure Cookie Data (third-party module)
- Version: 7.x
- Date: 2014-January-22
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure, Multiple vulnerabilities
Description
This module allows for storing data securely in a cookie through implementing the Secure Cookie Protocol.
Ability to alter trusted data in the cookie
The module did an incorrect comparison of the HMAC value, allowing a bypass of the HMAC verification which allows changing the cookie value.
Known encryption key value
The key for the HMAC provided a default that was hardcoded. The module relied on the extension of the base class to provide a per site specific key.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Secure Cookie Data 7.x-2.x versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed Secure Cookie Data module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Secure Cookie Data module upgrade to Secure Cookie Data 7.x-2.1
Also see the Secure Cookie Data project page.
Reported by
- Heine Deelstra of the Drupal Security Team
- Jonathan Kuma module maintainer
Fixed by
- Antonio Almeida and Jonathan Kuma the module maintainers.
Coordinated by
- Heine Deelstra and Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
