Drupal Session Fixation Vulnerability

Bugtraq ID:	30359
Class:	Design Error
CVE:	CVE-2008-3222
Remote:	Yes
Local:	No
Published:	Jul 09 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	Erich C. Beyrent
Vulnerable:	Drupal Drupal 6.2 Drupal Drupal 6.1 Drupal Drupal 6.0 Drupal Drupal 5.8 Drupal Drupal 5.6 Drupal Drupal 5.5 Drupal Drupal 5.4 Drupal Drupal 5.3 Drupal Drupal 5.2 Drupal Drupal 5.1 Drupal Drupal 5.0
Not Vulnerable:	Drupal Drupal 6.3 Drupal Drupal 5.9

Drupal Session Fixation Vulnerability

Drupal is prone to a session-fixation vulnerability.

Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.

This issue affects Drupal 5.x before 5.9 and Drupal 6.x before 6.3.

NOTE: This issue was originally covered in BID 30168 (Drupal Multiple Remote Vulnerabilities) and was supposed to be addressed by Drupal 5.8. However, the vendor has confirmed that this issue was not fixed and still exists in Drupal 5.8. Therefore, this issue has been assigned its own BID.

Drupal Session Fixation Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

Drupal Session Fixation Vulnerability

Solution:
The vendor has released an advisory and updates. Please see the references for details.


Drupal Drupal 6.1

• Drupal SA-2008-044-6.2.patch
  http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

Drupal Drupal 6.0

• Drupal SA-2008-044-6.2.patch
  http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

Drupal Drupal 5.8

• Drupal SA-2008-046-5.8.patch
  http://drupal.org/files/sa-2008-046/SA-2008-046-5.8.patch

Drupal Drupal 6.2

• Drupal SA-2008-044-6.2.patch
  http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

Drupal Session Fixation Vulnerability

References:

• Drupal Language Switcher Dropdown Homepage (Drupal)
  
• SA-2008-044 - Drupal core - Multiple vulnerabilities (Drupal)
  
• SA-2008-046 - Drupal core - Session fixation (Drupal)