=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN178
_____________________________________________________________________

DATE                      : 03/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Secure Pages for DRUPAL version 6.x prior to 6.x-1.9.

======================================================================
http://drupal.org/node/1079174
______________________________________________________________________

SA-CONTRIB-2011-011 - Secure Pages - Open redirect
Posted by Drupal Security Team on March 2, 2011 at 8:37pm

     * Advisory ID: DRUPAL-SA-CONTRIB-2011-011
     * Project: Secure Pages (third-party module)
     * Version: 6.x
     * Date: 2011-March-02
     * Security risk: Less Critical (definition of risk levels)
     * Exploitable from: Remote
     * Vulnerability: Open Redirection

Description

The Secure Pages module allows administrators to choose certain URLs
that must be delivered over HTTPS.

An open redirection bug allows an attacker to formulate a URL in a way
that redirects the user to an arbitrarily provided URL.

Versions affected

     * Secure Pages module for Drupal 6.x versions prior to 6.x-1.9

Drupal core is not affected. If you do not use the contributed
Secure Pages module, there is nothing you need to do.


Solution

Install the latest version:

     * If you use the Secure Pages module for Drupal 6.x upgrade
to Secure Pages 6.x-1.9

See also the Secure Pages project page.


Reported by

     * Mike Potter

Fixed by

     * Gordon Heydon, module maintainer

Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code
for Drupal, and secure configuration of your site.

Categories: Drupal 6.x

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================