A specially crafted request could give a user access to another user’s session, allowing an attacker to hijack a random session.
This attack was known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (“mixed-mode”), but it was possible there are other attack vectors for both Drupal 6 and Drupal 7.
Part of security release SA-CORE-2014-006
This vulnerability affects the following application versions:
- Drupal 6.0
- Drupal 6.1
- Drupal 6.2
- Drupal 6.3
- Drupal 6.4
- Drupal 6.5
- Drupal 6.6
- Drupal 6.7
- Drupal 6.8
- Drupal 6.9
- Drupal 6.10
- Drupal 6.11
- Drupal 6.12
- Drupal 6.13
- Drupal 6.14
- Drupal 6.15
- Drupal 6.16
- Drupal 6.17
- Drupal 6.18
- Drupal 6.19
- Drupal 6.20
- Drupal 6.21
- Drupal 6.22
- Drupal 6.23
- Drupal 6.24
- Drupal 6.25
- Drupal 6.26
- Drupal 6.27
- Drupal 6.28
- Drupal 6.29
- Drupal 6.30
- Drupal 6.31
- Drupal 6.32
- Drupal 6.33
- Drupal 7.0
- Drupal 7.1
- Drupal 7.2
- Drupal 7.3
- Drupal 7.4
- Drupal 7.5
- Drupal 7.6
- Drupal 7.7
- Drupal 7.8
- Drupal 7.9
- Drupal 7.10
- Drupal 7.11
- Drupal 7.12
- Drupal 7.13
- Drupal 7.14
- Drupal 7.15
- Drupal 7.16
- Drupal 7.17
- Drupal 7.18
- Drupal 7.19
- Drupal 7.20
- Drupal 7.21
- Drupal 7.22
- Drupal 7.23
- Drupal 7.24
- Drupal 7.25
- Drupal 7.26
- Drupal 7.27
- Drupal 7.28
- Drupal 7.29
- Drupal 7.30
- Drupal 7.31
- Drupal 7.32
- Drupal 7.33