Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform.
This module doesn't sufficiently shield multi-site installations.
This vulnerability is mitigated by the fact that the server must be using Apache and must host multiple sites on a common platform. An attacker must have a knowledge about used filenames and the server.
Install the latest version:
- If you use Aegir hosting system, upgrade to Aegir HTTPS 7.x-3.170
Also see the Aegir HTTPS project page.
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Cash Williams of the Drupal Security Team