As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules – but the Drupal 6 LTS vendors are and we’re one of them!
Today, there is a Critical security release for the Session Limit module to fix a Insecure Session Management vulnerability.
The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have.
The module does not sufficiently tokenise the list of sessions so that the user’s session keys can be found through inspection of the form.
See the security advisory for Drupal 7 for more information.
Here you can download the Drupal 6 patch.
If you have a Drupal 6 site using the Session Limit module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. 🙂
If you’d like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they’re released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you’ll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won’t necessarily have a release on Drupal.org).