Drupal Chat Room Session Hijacking and Information Disclosure Vulnerabilities
BID:21531
Info
Drupal Chat Room Session Hijacking and Information Disclosure Vulnerabilities
| Bugtraq ID: | 21531 |
| Class: | Design Error |
| CVE: |
CVE-2006-4099 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 11 2006 12:00AM |
| Updated: | Dec 11 2006 12:00AM |
| Credit: | The vendor credits Eirik Hodne with the discovery of these vulnerabilities. |
| Vulnerable: |
Drupal Chatroom 4.7.0-1.0-dev |
| Not Vulnerable: |
Drupal Chatroom 4.7.0-1.0 |
Discussion
Drupal Chat Room Session Hijacking and Information Disclosure Vulnerabilities
Drupal Chat Room is prone to session-hijacking and information-disclosure vulnerabilities because of multiple design errors in the affected application.
An attacker can exploit these issues to gain access to the affected application with the privileges of the hijacked user and can obtain sensitive information. This may lead to other attacks.
All prerelease versions of Chat Room are vulnerable to this issue.
Drupal Chat Room is prone to session-hijacking and information-disclosure vulnerabilities because of multiple design errors in the affected application.
An attacker can exploit these issues to gain access to the affected application with the privileges of the hijacked user and can obtain sensitive information. This may lead to other attacks.
All prerelease versions of Chat Room are vulnerable to this issue.
Exploit / POC
Solution / Fix
Drupal Chat Room Session Hijacking and Information Disclosure Vulnerabilities
Solution:
The vendor released an update to address these issues. Please see the references for more information.
Solution:
The vendor released an update to address these issues. Please see the references for more information.
References
Drupal Chat Room Session Hijacking and Information Disclosure Vulnerabilities
References:
References:
- Drupal Chat Room 4.7.x-1.0 Release Information (Drupal)
- Drupal Chat Room Home Page (Drupal)
- Drupal Security Advisory DRUPAL-SA-2006-030 (Drupal)