oss-sec mailing list archives
Re: CVE request: drupal issue in < 5.9
From: Nico Golde <oss-security+ml () ngolde de>
Date: Sun, 27 Jul 2008 19:17:08 +0200
Hi Miklos, * Miklos Vajna <vmiklos () frugalware org> [2008-07-27 18:49]:
On Sat, Jul 26, 2008 at 04:44:16PM -0400, "Steven M. Christey" <coley () linus mitre org> wrote:My interpretation of this new advisory is that they meant to fix the session fixation in 5.8, but they didn't. The original advisory covered multiple other issues as well. So this new advisory might better be considered a clarification of versions for the session fixation, rather than a regression error or incomplete fix (which would require a new CVE). Granted, the lack of specifics from Drupal makes it difficult to be certain about what happened.As far as I see, they wanted to fix the session fixation issue in 5.8, but the fix did not solve the problem, as you say.
Why didn't it solve the problem? http://drupal.org/files/sa-2008-046/SA-2008-046-5.8.patch compared to: diff -u -p -r1.745.2.26 user.module --- modules/user/user.module 7 Jan 2008 02:30:35 -0000 1.745.2.26 +++ modules/user/user.module 9 Jul 2008 20:37:51 -0000 @@ -968,9 +968,11 @@ function user_login_submit($form_id, $fo // Update the user table timestamp noting user has logged in. db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid); + // Regenerate the session ID to prevent against session fixation attacks. + sess_regenerate(); + user_module_invoke('login', $form_values, $user); - sess_regenerate(); return 'user/'. $user->uid; } } from http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch looks pretty much the same. So I guess they did not include their own patch in 5.8. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Steven M. Christey (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 26)