HomeBlogsDave Keays's blog

Drupal security - Ajax Sessions module

Fri, 05/29/2009 - 21:01 — Dave Keays

This time the focus is on the Ajax Session module which should be removed from all Drupal installations.

If anybody noticed, I'm not writing regular updates about Drupal security like I did last year. If you keep your installed core, modules, and themes up to date then 90% of my 2008 posts will be redundant. Now I'm just writing about issues that go beyond keeping things up to date. For example; modules that should be avoided. Programming practices that can be dangerous.

This module allowed users to set PHP session variables using AJAX. But it doesn't perform any validity checks on what is asked of it.

It didn't make use of the Drupal API which bypasses all the built in controls that Drupal has. So a specially designed input can be used to manipulate the system to do a cross-site-scripting attack or a request forgery.

Combine the two together and you have a real problem. A person's input or GET header can change the session information.

According to the Drupal security team there is no solution to the problem and the module has been removed from the Drupal web site.

Official Security Announcement
SA-CONTRIB-2009-031
http://drupal.org/node/474452

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options