I’m posting this on behalf of the module developer, Jason Heffner. -Andrew

There is a critical security hole in the webaccess module written by Jason Heffner.

You should go immediately and download the latest version at:

http://ets. tlt. psu.edu/wiki/Drupal_auth

Details:

The WebAccess module does not handle the redirect_url properly. It is possible to send a request to a different site after logging into webaccess. This could cause phishing vulnerabilities with faked PSU web sites.

If you have a custom version of this module the code to update is below. Otherwise, simply replace the module.

Replace:

function webaccess_redirect() {

  global $user;

  $uri = $_GET[‘redirect_url’];

  if ($uri == “”) {

          $uri = base_path();

  }

  webaccess_do_logon();

  Header(‘Location: ‘.$uri);

  exit;

}

With this:

function webaccess_redirect() {

  global $user;

  global $base_url;

  $uri = check_url($_GET[‘redirect_url’]);

  $check_uri = preg_quote($base_url,’/’);

  if (($uri == “”)  || (!preg_match(“/^”.$check_uri.”/”,$uri))){

                  $uri = base_path();

  }

  webaccess_do_logon();

  Header(‘Location: ‘.$uri);

  exit;

}

Please, forward this to any colleagues you know currently using this module.

Thanks,

Jason