SA-CONTRIB-2014-057 - Password policy - General logic error

By Drupal Security Team on 21 May 2014 at 15:15 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2014-057
Project: Password policy (third-party module)
Version: 7.x
Date: 2014-May-21
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: General logic error

Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:
- If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.6
Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.