oss-sec mailing list archives
CVE request: drupalauth module for simpleSAMLphp trivial impersonation
From: "Thijs Kinkhorst" <thijs () debian org>
Date: Tue, 5 Nov 2013 09:54:01 +0100
Hi, Alan Barrett reported an issue in the drupalauth module for simpleSAMLphp, which takes the username out of a cookie which is obviously under control of the user. Report and patch: http://code.google.com/p/drupalauth/issues/detail?id=9 (Note that this is an independently developed module not part of the simpleSAMLphp core distribution. Note also that this module is used for Drupal as an authentication source, and is not related to using Drupal with simpleSAMLphp as an SP). Cheers, Thijs
Current thread:
- CVE request: drupalauth module for simpleSAMLphp trivial impersonation Thijs Kinkhorst (Nov 05)
- Re: CVE request: drupalauth module for simpleSAMLphp trivial impersonation Kurt Seifried (Nov 08)