- Advisory ID: DRUPAL-SA-CONTRIB-2012-007
- Project: Password policy (third-party module)
- Version: 6.x
- Date: 2012-January-11
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
This module enables you to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a policy.
Cross Site Request Forgery (CSRF)
CVE: CVE-2012-1633
Unblocking a user does not require sufficient confirmation by administrative users and can be exploited with a specially crafted URL.
Cross Site Scripting (XSS)
CVE: CVE-2012-1632
The module doesn't sufficiently sanitize the name of password policies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer policies".
This issue also affects the 7.x branch which is only in beta release. Users of non-stable releases are encouraged to upgrade frequently as those releases are not covered by the Drupal Security Team policy.
Versions affected
- Password Policy 6.x-1.x versions prior to 6.x-1.4.
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Password Policy module for Drupal 6.x, upgrade to Password Policy 6.x-1.4.
Clear the site's cache:
visit Administer > Site Configuration > Performance and click "Clear cached data."
See also the Password policy project page.
Reported by
- Greg Knaddison of the Drupal Security Team
Fixed by
- Erik Webb the module co-maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.