Automated Logout - Moderately Critical - Cross-Site Request Forgery

Description

The Automated Logout module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

This vulnerability is mitigated by the fact that an attacker cannot read the response of cross-origin requests, limiting the impact to forced logout rather than information disclosure.

Solution

Install the latest version.

If you use the Automated Logout module for Drupal 7, upgrade to autologout 7.x-4.7:

• autologout 7.x-4.7.tar.gz
• autologout 7.x-4.7.zip

Reported by

• Pierre Rudloff (prudloff)

Fixed by

• Person
• Ajit Shinde (ajits)
• Jakob P (japerry)
• Gareth Alexander (the_g_bomb)
• Ra Mänd (ram4nd)

Coordinated by

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Tag1 D7ES