By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-053
  • Project: Login Security (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-June-19
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Login Security module adds additional access controls to the login form of Drupal.

When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service.

It is possible to bypass Login Security features when soft blocking is disabled or when the attacker has an account on the site. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks.

CVE identifier(s) issued

  • CVE-2013-2197: When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service.
  • CVE-2013-2198: It is possible to bypass Login Security features when soft blocking is disabled. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks.

Versions affected

  • Login Security 6.x-1.x versions prior to 6.x-1.2.
  • Login Security 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Security module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Login Security project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Drupal 6.x, Drupal 7.x