| Summary: | <www-apps/drupal-{5.22, 6.16} Insecure cookie session hijacking (CVE-2008-3661) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | web-apps |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://int21.de/cve/CVE-2008-3661-drupal.html | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Buchholz (RETIRED)
2008-09-24 15:20:54 UTC
It looks like upstream is not inclined to fix this problem: http://drupal.org/node/315703 Qoute: "we consider that this is a configuration problem. It's your responsibility to set session.cookie_secure in the SSL virtual host if you want an SSL-only website." Added a notice + ewarn which is similar to what Fedora did to resolve this issue. Closing noglsa. Index: postinstall-en.txt =================================================================== RCS file: /var/cvsroot/gentoo-x86/www-apps/drupal/files/postinstall-en.txt,v retrieving revision 1.3 diff -u -B -r1.3 postinstall-en.txt --- postinstall-en.txt 6 Dec 2007 14:40:54 -0000 1.3 +++ postinstall-en.txt 5 Mar 2010 13:01:29 -0000 @@ -13,4 +13,13 @@ and provide the credential required for the database access. +SECURITY NOTICE: If you use SSL on your Drupal installation, you +should enable the PHP configuration option `session.cookie-secure' +to make it harder for attackers to sniff session cookies. + +References: +CVE-2008-3661 +http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-secure +http://drupal.org/node/315703 + |
