First published: Wed Sep 29 2010(Updated: )
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Drupal Drupal | =6.0-beta2 | |
Drupal Drupal | =6.0-rc2 | |
Drupal Drupal | =6.2 | |
Drupal Drupal | =6.14 | |
Drupal Drupal | =6.13 | |
Drupal Drupal | =6.0-dev | |
Drupal Drupal | =6.0-beta4 | |
Drupal Drupal | =6.12 | |
Drupal Drupal | =6.0-rc3 | |
Drupal Drupal | =6.0-rc4 | |
Drupal Drupal | =6.4 | |
Drupal Drupal | =6.11 | |
Drupal Drupal | =6.0-beta1 | |
Drupal Drupal | =6.7 | |
Drupal Drupal | =6.8 | |
Drupal Drupal | =6.1 | |
Drupal Drupal | =6.17 | |
Drupal Drupal | =6.5 | |
Drupal Drupal | =6.10 | |
Drupal Drupal | =6.6 | |
Drupal Drupal | =6.0 | |
Drupal Drupal | =6.15 | |
Drupal Drupal | =6.0-beta3 | |
Drupal Drupal | =6.16 | |
Drupal Drupal | =6.3 | |
Drupal Drupal | =6.0-rc1 | |
Drupal Drupal | =6.9 | |
Peter Wolanin Openid | =5.x-1.1 | |
Peter Wolanin Openid | =5.x-1.0 | |
Peter Wolanin Openid | =5.x-1.2 | |
Peter Wolanin Openid | =5.x-1.3 | |
Peter Wolanin Openid | =5.x-1.x-dev |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.