Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By pwolanin on
- Advisory ID: DRUPAL-SA-CONTRIB-2011-026
- Project: Secure Password Hashes (phpass) (third-party module)
- Version: 5.x, 6.x
- Date: 2011-June-29
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
This module uses the PHPass hashing library to try to store users hashed passwords securely.
The module sets a fixed string for the 'pass' column in the {users} database column but does not replace the pass attribute of the account object used for password reset links. This leads to a vulnerability where password reset links could be determined using a brute force attack within a matter of minutes in the worst case. In addition, the password reset link is not invalidated if a logged-in user changes her password.
Versions affected
- Secure Password Hashes (phpass) for Drupal 6.x before 6.x-1.1
- Secure Password Hashes (phpass) for Drupal 5.x before 5.x-1.5
Drupal core is not affected. If you do not use the contributed Secure Password Hashes (phpass) module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Secure Password Hashes (phpass) module for Drupal 6.x upgrade to 6.x-1.1 or later.
See also the Secure Password Hashes (phpass) project page.
Reported by
- PWolanin of the Drupal Security Team
Fixed by
- PWolanin of the Drupal Security Team (and new module maintainer)
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
