View online: https://drupal.org/node/2288341
* Advisory ID: DRUPAL-SA-CONTRIB-2014-062 * Project: Password policy [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-June-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.
.... Access bypass and information disclosure (7.x only)
The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).
Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences: 1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint. 2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.
This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.
.... Access bypass (6.x)
The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.
A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* Password Policy 6.x-1.x versions prior to 6.x-1.7. * Password Policy 7.x-1.x versions prior to 7.x-1.7. * Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.
Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.
Install the latest version:
* If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7 [5] * If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7 [6] * If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2 [7]
Also see the Password policy [8] project page.
-------- REPORTED BY ---------------------------------------------------------
* Ryan Courtnage [9] * AohRveTPV [10] the module maintainer
-------- FIXED BY ------------------------------------------------------------
* Ryan Courtnage [11] * AohRveTPV [12] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18]
[1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/password_policy [5] https://drupal.org/node/2287973 [6] https://drupal.org/node/2287985 [7] https://drupal.org/node/2287991 [8] http://drupal.org/project/password_policy [9] http://drupal.org/u/ryan_courtnage [10] http://drupal.org/u/aohrvetpv [11] http://drupal.org/u/ryan_courtnage [12] http://drupal.org/u/aohrvetpv [13] https://drupal.org/u/greggles [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity