CVE-2008-3661 drupal session hijacking [#315703]

https://bugzilla.redhat.com/show_bug.cgi?id=464162

From Fedora bug. . .

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in http
requests and make it easier for remote attackers to capture this cookie.

http://int21.de/cve/CVE-2008-3661-drupal.html
http://www.securityfocus.com/bid/31285

Comments

Comment #1

Damien Tournoud CreditAttribution: Damien Tournoud commented 1 October 2008 at 12:32

Priority:	Critical	» Normal
Status:	Active	» Closed (works as designed)

First, security issues should not be filled in the public issue tracker, following our security guidelines.

Second, we consider that this is a configuration problem. It's your responsibility to set session.cookie_secure in the SSL virtual host if you want an SSL-only website.

CVE-2008-3661 drupal session hijacking

Comments

Comment #1

News items

Our community

Documentation

Drupal code base

Governance of community