Secure Login Module for Drupal contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Upgrade to version 7.x-1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2012-4489 (see also: NVD)
• Secunia Advisory ID: 50067
• Vendor Specific Advisory URL: http://drupal.org/node/1700594
• Vendor Specific News/Changelog Entry: http://drupalcode.org/project/securelogin.git/commitdiff/88518df
  https://drupal.org/node/1692976
  https://drupal.org/node/1698988
• Other Advisory URL: http://www.openwall.com/lists/oss-security/2012/10/04/6
  http://www.openwall.com/lists/oss-security/2012/10/07/1

• Albert Martin