Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Nov 2013 09:54:01 +0100
From: "Thijs Kinkhorst" <>
To: "Open Source Security" <>
Subject: CVE request: drupalauth module for simpleSAMLphp trivial


Alan Barrett reported an issue in the drupalauth module for simpleSAMLphp,
which takes the username out of a cookie which is obviously under control
of the user.

Report and patch:

(Note that this is an independently developed module not part of the
simpleSAMLphp core distribution. Note also that this module is used for
Drupal as an authentication source, and is not related to using Drupal
with simpleSAMLphp as an SP).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.