oss-sec mailing list archives

CVE request: drupalauth module for simpleSAMLphp trivial impersonation

From: "Thijs Kinkhorst" <thijs () debian org>
Date: Tue, 5 Nov 2013 09:54:01 +0100

Hi,

Alan Barrett reported an issue in the drupalauth module for simpleSAMLphp,
which takes the username out of a cookie which is obviously under control
of the user.

Report and patch:
http://code.google.com/p/drupalauth/issues/detail?id=9

(Note that this is an independently developed module not part of the
simpleSAMLphp core distribution. Note also that this module is used for
Drupal as an authentication source, and is not related to using Drupal
with simpleSAMLphp as an SP).


Cheers,
Thijs

Current thread:

CVE request: drupalauth module for simpleSAMLphp trivial impersonation Thijs Kinkhorst (Nov 05)
- Re: CVE request: drupalauth module for simpleSAMLphp trivial impersonation Kurt Seifried (Nov 08)