------------CHATROOM - SECURITY BYPASS------------
* Advisory ID: DRUPAL-SA-2006-030.
* Project: Chatroom (third-party module).
* Date: 2006-Dec-11.
* Security risk: Highly critical.
* Exploitable from: Remote.
* Vulnerability: Security bypass.
------------DESCRIPTION------------
The contributed module Chatroom broadcasts session ids of chatroom visitors to all participants in a room. Using those IDs, an attacker is able to hijack the session of those participants and gain their privileges on the site.
Additionally, messages supposed to be private are displayed in the last messages overview of a chatroom.
------------VERSIONS AFFECTED------------
All prerelease versions of Chatroom.
Drupal core is not affected. If you do not use the contributed chatroom module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* Chatroom 4.7.x.-1.0 [
http://drupal.org//node/102616].
See also the Chatroom project page [
http://drupal.org/project/chatroom].
------------REPORTED BY------------
Eirik Hodne.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].
Aanmelden
Registreren
FAQ
Zoeken
