------------SA-2008-011 - SECURESITE - ACCESS BYPASS------------
* Advisory ID: DRUPAL-SA-2008-011
* Project: Secure Site (third-party module)
* Version: 5.x-1.0, 4.7.x-1.0
* Date: 2008-January-30
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Access bypass
------------DESCRIPTION------------
The Secure Site module provides functions for placing your site behind HTTP based authentication.
The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user.
------------VERSIONS AFFECTED------------
* Secure Site for Drupal 5.x and 4.7.x.
Drupal core is not affected. If you do not use the contributed Secure Site module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you use Drupal 5.x upgrade to Secure Site 5.x-1.1 [
http://drupal.org/node/216054 ].
* If you use Drupal 4.7.x upgrade to Secure Site 4.7.x-1.1 [
http://drupal.org/node/216053 ].
See also the Secure Site project page [
http://drupal.org/project/securesite ].
Since the IP-authentication feature proved to be beyond fixing it was removed from the new releases.
------------REPORTED BY------------
Tim Altman [
http://drupal.org/user/7006 ]
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].