CVE-2010-3686 Information

Description

The OpenID module in Drupal 6.x before 6.18 and the OpenID module 5.x before 5.x-1.4 for Drupal violates the OpenID 2.0 protocol by not ensuring that fields are signed which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Reference

http://drupal.org/node/880476 http://drupal.org/node/880480 http://marc.info/?l=oss-security&m=128418560705305&w=2 http://marc.info/?l=oss-security&m=128440896914512&w=2 http://www.debian.org/security/2010/dsa-2113 http://www.securityfocus.com/bid/42388