==================================================================== CERT-Renater Note d'Information No. 2012/VULN229 ____________________________________________________________________ DATE : 24/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BrowserID (Mozilla Persona) versions 7.x-1.x prior to 7.x-1.3. ====================================================================== http://drupal.org/node/1597414 ______________________________________________________________________ SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities Posted by Drupal Security Team on May 23, 2012 at 5:56pm Advisory ID: DRUPAL-SA-CONTRIB-2012-085 Project: BrowserID (Mozilla Persona) (third-party module) Version: 7.x Date: 2012-May-23 Security risk: Critical Exploitable from: Remote Vulnerability: Cross Site Request Forgery (results in Privilege Escalation) Description CVE: Requested The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site. The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity. Versions affected BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do. Solution Install the latest version: If you use the BrowserID module for Drupal 7.x, upgrade to BrowserID 7.x-1.3 This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3. Also see the BrowserID (Mozilla Persona) project page. Reported by Isaac Sukin, the module maintainer Fixed by Isaac Sukin, the module maintainer Greg Knaddison of the Drupal Security Team Ben Adida of Mozilla Coordinated by Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 7.x ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================