Comments (2)
I will review this and get this corrected on or after Dec 11th. Unfortunately
that's the fasted I can get to this.
In terms of scope this vulnerability seems to be limited to installations that
use the drupalauth:External authsource. Installations that use the
drupalauth:UserPass do not appear to be affected.
Original comment by [email protected]
on 4 Dec 2013 at 1:16
- Changed state: Accepted
- Added labels: Priority-High
- Removed labels: Priority-Medium
from drupalauth.
Alan,
Thank you for identifying the issue and for submitting your patch. I have
reviewed and tested your changes. Unfortunately, they do not work in all
situations. So, I have incorporated the aspects that I could and resolved the
cookie manipulation vector by including the uid along with the salt before
generating the hash. This ensures that no one can manipulate the hash or the
uid.
Unfortunately, this approach will require people to update both External.php
and drupal4ssp.module.
I have uploaded a new release for download version 1.2.2.
Original comment by [email protected]
on 10 Dec 2013 at 5:58
- Changed state: Fixed
from drupalauth.
Related Issues (20)
- white screen after login HOT 4
- PHP Notices and bug report HOT 1
- Write login events to
- Call to undefined function entity_load HOT 2
- Add single log-out integration HOT 9
- User fields of type "List (text)" are not passed through authentication. Patch attached. HOT 2
- Support using user fields multiple times for different SAML attributes
- The Drupal Module "drupalauth4ssp" does not work with Drupal 6 (user hooks not triggered)
- Support multi-value fields HOT 2
- baseurlpath not handled correctly by Drupal module
- Asserted as another user! HOT 2
- Drupalauth module doesn't redirect when user is already logged in HOT 1
- SLO Issue with IdP
- Logout redirect
- Redirect after logout HOT 7
- Drupal simplesaml Login Problem HOT 11
- drupal Federated Log In
- Cannot pass language from SP (fix included)
- Conflict between simplesamlphp_auth and drupalauth4ssp
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drupalauth.