SA-CONTRIB-2012-001 - Registration Codes - Access bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2012-001
• Project: Registration Codes (third-party module)
• Version: 6.x
• Date: 2012-January-04
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

CVE: CVE-2012-1623

The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code.

The default module installation provides no access check for the registration code list, leading to a vulnerability that allows unauthenticated members to easily view the registration code list.

Versions affected

• Registration Codes module for Drupal 6.x versions prior to 6.x-2.4

Drupal core is not affected. If you do not use the contributed Registration Codes module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Registration Codes module for Drupal 6.x upgrade to Registration codes 6.x-2.4 or later.

Reported by

• Thomas Bonte (toemaz)

Fixed by

• Aidan Lister (aidanlis), module maintainer

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.