SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords

By Drupal Security Team on 31 Oct 2012 at 18:39 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2012-159
Project: Password policy (third-party module)
Version: 6.x, 7.x
Date: 2012-October-31
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Information Disclosure

Description

This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.

The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user's HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption.

This issue only affects sites that use the module's "previous passwords" feature, and fail to encrypt their users' HTTP transactions with SSL/TLS.

CVE: CVE-2012-5552

Versions affected

Password policy 6.x-1.x versions prior to 6.x-1.5.
Password policy 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.5
If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.3

Also see the Password policy project page.