Drupal Chatroom Module Session ID Information Disclosure Date: Monday, December 11, 2006 @ 08:25:04 CST Topic: Security SECUNIA ADVISORY ID: SA23343 VERIFY ADVISORY: http://secunia.com/advisories/23343/ CRITICAL: Moderately critical IMPACT: Hijacking, Exposure of sensitive information SOFTWARE: Drupal Chatroom Module 4.x - http://secunia.com/product/12872/ DESCRIPTION: A vulnerability has been reported in the Chatroom Module for Drupal, which can be exploited by malicious people to hijack user sessions. The vulnerability is caused due to the application broadcasting session IDs of chatroom visitors to all participants in a chatroom. This can be exploited to hijack other users' sessions and gain access to the site with their privileges. A security issue where private messages were displayed in the "last messages" overview of a chatroom has also been fixed. The vulnerability is reported in all prerelease versions. SOLUTION: Update to the latest version 4.7.x-1.0. PROVIDED AND/OR DISCOVERED BY: Eirik Hodne ORIGINAL ADVISORY: http://drupal.org/node/102614 This article comes from Ravens PHP Scripts https://www.ravenphpscripts.com The URL for this story is: https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2551