Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-026
- Project: LoginToboggan (third-party module)
- Version: 6.x
- Date: 2009-May-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled.
- LoginToboggan 6.x-1.x prior to 6.x-1.5
LoginToboggan for Drupal 5.x is not affected by this vulnerability.
Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.
Upgrade to the latest version:
- If you use LoginToboggan 6.x-1.x upgrade to LoginToboggan 6.x-1.5
As a temporary workaround, you may also disable the 'Allow users to login using their e-mail address' setting at Administer -> User management -> LoginToboggan.
See also the LoginToboggan project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.