• Advisory ID: DRUPAL-SA-CONTRIB-2009-026
  • Project: LoginToboggan (third-party module)
  • Version: 6.x
  • Date: 2009-May-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass


LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled.

Versions affected

  • LoginToboggan 6.x-1.x prior to 6.x-1.5

LoginToboggan for Drupal 5.x is not affected by this vulnerability.

Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.


Upgrade to the latest version:

As a temporary workaround, you may also disable the 'Allow users to login using their e-mail address' setting at Administer -> User management -> LoginToboggan.

See also the LoginToboggan project page.

Reported by

Chad Phillips of the Drupal Security Team.

Fixed by

Chad Phillips of the Drupal Security Team.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.