The pubcookie module for Drupal contains a flaw that may allow a malicious user to spoof a user's identity by bypassing the login redirection mechanism. It is possible that the flaw may allow the attacker to spoof the administrative user resulting in a loss of integrity.
Classification
Location:
Remote / Network Access
Attack Type:
Authentication Management,
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Solution
Upgrade to the latest version, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. If you have downloaded pubcookie prior to September 8, 2006 or the CVS $Id$ is older than the following, an upgrade is required: 4.6: pubcookie.module,v 1.2.2.4 2006/09/07 01:44:11 jvandyk Exp $ 4.7: pubcookie.module,v 1.6.2.1 2006/09/06 22:43:31 jvandyk Exp $
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
gmail.com -
