by David Snopek on May 17, 2017 - 9:29am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for an Access Bypass vulnerability the Legal module.

The Legal module displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.

It had a bug where a specially crafted URL could allow anyone to login to a user account that hadn't yet accepted the terms and conditions. This is mitigated by the fact that an attacker must have a way to obtain the URL, possibly by snooping on web traffic that isn't protected via HTTPS or a man-in-the-middle attack.

(A note about the timing of this release: per our agreement with the Drupal Security Team, we were unable to release this patch until the same vulnerability was fixed for the Drupal 7 Legal module, or two weeks went by after that module was unsupported, if it appeared it wasn't going to be fixed. The fix for Drupal 7 was released today.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Legal module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Add comment

o