Info

Disclosure

Sep 08, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

The pubcookie module for Drupal contains a flaw that may allow a malicious user to spoof a user's identity by bypassing the login redirection mechanism. It is possible that the flaw may allow the attacker to spoof the administrative user resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management, Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to the latest version, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. If you have downloaded pubcookie prior to September 8, 2006 or the CVS $Id$ is older than the following, an upgrade is required: 4.6: pubcookie.module,v 1.2.2.4 2006/09/07 01:44:11 jvandyk Exp $ 4.7: pubcookie.module,v 1.6.2.1 2006/09/06 22:43:31 jvandyk Exp $

Products

Drupal	Drupal	4.6
		4.7

References

Bugtraq ID: 19920
CVE ID: 2006-4717 (see also: NVD)
Secunia Advisory ID: 21811
VUPEN Advisory: ADV-2006-3530
Keyword: DRUPAL-SA-2006-019
Vendor Specific Advisory URL: http://drupal.org/node/83064
Vendor URL: http://drupal.org/project/pubcookie

Credit

Eric Drechsel - ericdrexgmail.com -

Direct URL: http://osvdb.org/28623