Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules terminate the current request during a login event, allows remote attackers to hijack web sessions via unknown vectors.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Drupal | Drupal | 5.0 (including) | 5.9 (excluding) |
| Drupal | Drupal | 6.0 (including) | 6.3 (excluding) |
| Drupal | Ubuntu | dapper | * |
| Drupal | Ubuntu | feisty | * |
| Drupal | Ubuntu | upstream | * |
| Drupal5 | Ubuntu | gutsy | * |
| Drupal5 | Ubuntu | hardy | * |
| Drupal5 | Ubuntu | upstream | * |
Such a scenario is commonly observed when: