- Advisory ID: DRUPAL-SA-CONTRIB-2012-159
- Project: Password policy (third-party module)
- Version: 6.x, 7.x
- Date: 2012-October-31
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Description
This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.
The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user's HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption.
This issue only affects sites that use the module's "previous passwords" feature, and fail to encrypt their users' HTTP transactions with SSL/TLS.
CVE: CVE-2012-5552
Versions affected
- Password policy 6.x-1.x versions prior to 6.x-1.5.
- Password policy 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.5
- If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.3
Also see the Password policy project page.
Reported by
Fixed by
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Damien Tournoud of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.