Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management

Description

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Solution

Install the latest version:

If you use the Open Social distribution for Drupal 8.x-7.x, upgrade to open social 8.x-7.1
If you use the Open Social distribution for Drupal 8.x-6.x, upgrade to open social 8.x-6.5
Alternatively, disable the module social_magic_login.

Also see the Open Social project page.

Alex Shaposhnik's picture
Alex Shaposhnik
Technical Support Specialist
I provide technical assistance to our customers with all kinds of technical, hardware or software problems by modifying, installing, cleaning and repairing server-side software and customers' web applications and communicating to them the detailed answers and troubleshooting steps performed.

We value your opinion. Please add your feedback.