January 2012 - Security-news - lists.drupal.org

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Jan '12

25 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-015 * Project: Managesite [1] (third-party module) * Version: 6.x * Date: 2012-January-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone (/admin). The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer managesite". -------- VERSIONS AFFECTED --------------------------------------------------- * Managesite 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Managesite [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Managesite module for Drupal 6.x, upgrade to Managesite 6.x-1.1 [4] See also the Managesite [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * jacinto capote robles [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/managesite [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/managesite [4] http://drupal.org/node/1410856 [5] http://drupal.org/project/managesite [6] http://drupal.org/user/302225 [7] http://drupal.org/user/348228 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Jan '12

25 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-014 * Project: Drupal Commerce [1] (third-party module) * Version: 7.x * Date: 2012-January-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Cart forms. In Drupal Commerce 1.1 this feature was expanded to also incorporate the "extra fields" of products, i.e. the product title and SKU. The theme functions used to render product titles and SKUs prints those variables to the page without properly sanitizing them first. A user with the proper permissions could create a product that ends up in a node display where a malicious title or SKU is rendered. This vulnerability is mitigated by the fact that the attacker must have a role with a product creation permission, and since Drupal Commerce 1.1, the site must have been updated to make use of these extra fields in product display nodes as they default to being hidden on all product displays. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commerce version 7.x-1.1. Drupal core is not affected. If you do not use the contributed Drupal Commerce [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal Commerce 7.x-1.1, upgrade to Drupal Commerce 7.x-1.2 [4] See also the Drupal Commerce [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [6]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team * Ryan Szrama (rszrama [8]) the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/commerce [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/commerce [4] http://drupal.org/node/1417014 [5] http://drupal.org/project/commerce [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/49344 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
by security-news＠drupal.org 25 Jan '12

25 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-013 * Project: Search Autocomplete [1] (third-party module) * Version: 7.x * Date: 2012-January-25 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site. Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability is mitigated by the fact that users must have a role with permission "use search_autocomplete" to exploit. -------- VERSIONS AFFECTED --------------------------------------------------- * Search Autocomplete versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed Search Autocomplete [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-2.1 [4] See the Search Autocomplete [5] project page for more information. -------- REPORTED BY --------------------------------------------------------- * Miguel Hermo (serans) [6] -------- FIXED BY ------------------------------------------------------------ * Dominique Clause (Miroslav Talenberg) [7] the module maintainer * Miguel Hermo (serans) [8] -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/search_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/search_autocomplete [4] http://drupal.org/node/1410674 [5] http://drupal.org/project/search_autocomplete [6] http://drupal.org/user/1593256 [7] http://drupal.org/user/801982 [8] http://drupal.org/user/1593256 [9] http://drupal.org/user/91990 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Jan '12

18 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-012 * Project: Quick Tabs [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-January-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit a Quicktabs instance. -------- VERSIONS AFFECTED --------------------------------------------------- * Quicktabs 6.x-2.x versions prior to 6.x-2.1. * Quicktabs 6.x-3.x versions prior to 6.x-3.1. * Quicktabs 7.x-3.x versions prior to 7.x-3.3. Drupal core is not affected. If you do not use the contributed Quick Tabs [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quicktabs 2.x module for Drupal 6.x, upgrade to Quicktabs 6.x-2.1 [4] * If you use the Quicktabs 3.x module for Drupal 6.x, upgrade to Quicktabs 6.x-3.1 [5] * If you use the Quicktabs 3.x module for Drupal 7.x, upgrade to Quicktabs 7.x-3.3 [6] See also the Quick Tabs [7] project page. -------- REPORTED BY --------------------------------------------------------- * Owen Barton [8] of the Drupal Security Team * Michael Smith [9] -------- FIXED BY ------------------------------------------------------------ * Katherine Bailey [10] the module maintainer * Michael Smith [11] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/quicktabs [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/quicktabs [4] http://drupal.org/node/1409480 [5] http://drupal.org/node/1409482 [6] http://drupal.org/node/1409484 [7] http://drupal.org/project/quicktabs [8] http://drupal.org/user/19668 [9] http://drupal.org/user/1291584 [10] http://drupal.org/user/172987 [11] http://drupal.org/user/1291584w [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Jan '12

18 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-011 * Project: Panels [1] (third-party module) * Version: 6.x * Date: 2012-January-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer panel layouts". -------- VERSIONS AFFECTED --------------------------------------------------- * Panels 6.x-2.x versions prior to 6.x-3.10. Drupal core is not affected. If you do not use the contributed Panels [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Panels module for Drupal 6.x, upgrade to Panels 6.x-3.10 [4] See also the Panels [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * Justin Klein Keane [7] * Earl Miles [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/panels [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/panels [4] http://drupal.org/node/1409446 [5] http://drupal.org/project/panels [6] http://drupal.org/user/302225 [7] http://drupal.org/user/302225 [8] http://drupal.org/user/26979 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities
by security-news＠drupal.org 18 Jan '12

18 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-010 * Project: stickynote [1] (third-party module) * Version: 7.x * Date: 2012-January-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to add textual notes in a block to perform quality assurance of your site. Previously it did not sufficiently protect against Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF). This vulnerability is mitigated by the fact that an attacker must have a role with the permission "delete stickynotes" or "edit stickynotes". -------- VERSIONS AFFECTED --------------------------------------------------- * Stickynote 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed stickynote [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Stickynote version 7.x-1.x download 7.x-1.1 [4]. See also the stickynote [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Luke Herrington [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/stickynote [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/stickynote [4] http://drupal.org/node/1408556 [5] http://drupal.org/project/stickynote [6] http://drupal.org/user/36762 [7] http://drupal.org/user/1088824 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-009 - Revisioning - Access bypass
by security-news＠drupal.org 18 Jan '12

18 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-009 * Project: Revisioning [1] (third-party module) * Version: 7.x * Date: 2012-January-18 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hook_node_access() assumes that access is to granted/denied based on the logged-in user's permissions. However, the hook may be invoked in contexts whereby the access grants are to be returned for a particular account passed into the hook. This could result in an access bypass vulnerability if node_access() is called for a specific user account. This vulnerability happens when using the XML sitemap module which as a result will disclose the URLs of un-accessible or unpublished content to anonymous users. The actual content itself is not disclosed. -------- VERSIONS AFFECTED --------------------------------------------------- * Revisioning 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Revisioning [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Revisioning module for Drupal 7.x, upgrade to Revisioning 7.x-1.3 [4]. See also the Revisioning [5] project page. -------- REPORTED BY --------------------------------------------------------- * Dave Reid [6], Drupal Security Team member * Adam Bramley [7] -------- FIXED BY ------------------------------------------------------------ * Dave Reid [8], Drupal Security Team member * Rik de Boer [9], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [10], Drupal Security Team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/revisioning [4] http://drupal.org/node/1407456 [5] http://drupal.org/project/revisioning [6] http://drupal.org/user/53892 [7] http://drupal.org/user/1036766 [8] http://drupal.org/user/53892 [9] http://drupal.org/user/404007 [10] http://drupal.org/user/53892 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

PSA-2012-001 - Hash DOS attack prevention with Suhosin needs a .htaccess edit
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-PSA-2012-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2012-01-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- PHP is vulnerable to a hash collision denial of service (DOS) [3] attack. If an attacker can post a large amount of specifically chosen variables to the site, a large amount of CPU time is consumed preventing service to visitors. Many users deploy the Suhosin PHP extension [4] to limit the amount of posted variables that will be handled by PHP, thus preventing the DOS attack. There's an unfortunate interaction with the mbstring extension required by Drupal to work with UTF-8. When the setting mbstring.encoding_translation is updated via .htaccess the mbstring extension changes the PHP POST handlers so that only every other POST variable can be handled by Suhosin. While Suhosin will still remove half of the variables over the post.max_vars limit, it is ultimately unsuccesful in limiting the amount of posted variables and thus in preventing the hash collision DOS attack. -------- VERSIONS AFFECTED --------------------------------------------------- All versions -------- SOLUTION ------------------------------------------------------------ Confirm that the master value of mbstring.encoding_translation is set to Off via: * Drupal 7: Reports > Status, then More information on the PHP version (admin/reports/status/php) * Drupal 6: Administer > Reports > Status report, then follow the link on the PHP version (admin/reports/status/php) Next, remove the lines from the file .htaccess in the Drupal root. For Drupal 7.x remove the lines: php_flag mbstring.encoding_translation off For Drupal 6.x remove the lines: php_value mbstring.encoding_translation off If the master value of mbstring.encoding_translation is On, change it to Off via PHP.ini. Contact your hosting provider if necessary. If you do not use Suhosin, limit the amount of variables posted to your site in another way. You should consider upgrading to PHP 5.3.9 and using its newly introduced directive 'max_input_vars'. Please note that setting such limits too low (whether via Suhosin or PHP) can break processing on long forms like the permissions administration screen. It is likely that the near-future will see an update to Suhosin, making the procedure described in this PSA unnecessary. See also the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * Dominic Böttger -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://www.ocert.org/advisories/ocert-2011-003.html [4] http://www.hardened-php.net/ [5] http://drupal.org/project/drupal [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-008 * Project: Video Filter [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-JANUARY-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display. This vulnerability is mitigated by the fact that the attacker has to be able to either control the source of third party data (such as via DNS hijack) or manipulate it in transit. -------- VERSIONS AFFECTED --------------------------------------------------- * Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0. * Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Video Filter [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter 6.x-3.0 [4] * If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter 7.x-3.0 [5] See also the Video Filter [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [7] -------- FIXED BY ------------------------------------------------------------ * Justin Klein Keane [8] * Hans Nilsson [9], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [10], Drupal Security Team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/video_filter [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/video_filter [4] http://drupal.org/node/1401798 [5] http://drupal.org/node/1401800 [6] http://drupal.org/project/video_filter [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/110169 [10] http://drupal.org/user/53892 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-007 * Project: Password policy [1] (third-party module) * Version: 6.x * Date: 2012-January-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a policy. .... Cross Site Request Forgery (CSRF) Unblocking a user does not require sufficient confirmation by administrative users and can be exploited with a specially crafted URL. .... Cross Site Scripting (XSS) The module doesn't sufficiently sanitize the name of password policies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer policies". This issue also affects the 7.x branch which is only in beta release. Users of non-stable releases are encouraged to upgrade frequently as those releases are not covered by the Drupal Security Team policy [3]. -------- VERSIONS AFFECTED --------------------------------------------------- * Password Policy 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Password Policy module for Drupal 6.x, upgrade to Password Policy 6.x-1.4 [5]. Clear the site's cache: visit Administer > Site Configuration > Performance and click "Clear cached data." See also the Password policy [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Erik Webb [8] the module co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/security-advisory-policy [4] http://drupal.org/project/password_policy [5] http://drupal.org/node/1401654 [6] http://drupal.org/project/password_policy [7] http://drupal.org/user/36762 [8] http://drupal.org/user/273404 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0