[Security-news] SA-CONTRIB-2010-091 - Mollom - Information Disclosure

security-news at drupal.org security-news at drupal.org
Wed Sep 15 15:44:42 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-091
  * Project: Mollom (third-party module)
  * Version: 6.x
  * Date: 2010-September-15
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Information Disclosure

-------- DESCRIPTION  
---------------------------------------------------------

The Mollom module provides a combination of CAPTCHA challenges with text
analysis to intelligently block spam. In some configurations, sensitive user
data (e.g., a user's plain-text password) might be logged through calls to
Drupal's watchdog API. This vulnerability is mitigated by the fact that this
information would only be disclosed to users with access to view log
messages, usually a role with the 'access site reports' permission or access
to system syslog files, which should generally only be granted to trusted
users.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Mollom module for Drupal 6.x versions prior to 6.x-1.14

Mollom for Drupal 5.x is not affected, but the alpha Mollom release for
Drupal 7.x is affected. Drupal core is not affected. If you do not use the
contributed Mollom module there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Mollom module for Drupal 6.x upgrade to the 6.x-1.14
    version [1]

See also the Mollom project page [2].
-------- REPORTED BY  
---------------------------------------------------------

  * Katherine Senzee (ksenzee) [3]

-------- FIXED BY  
------------------------------------------------------------

  * Daniel Kudwien (sun) [4], module co-maintainer
  * Dries [5], module co-maintainer

-------- CONTACT  
-------------------------------------------------------------

The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/912420
[2] http://drupal.org/project/mollom
[3] http://drupal.org/user/139855
[4] http://drupal.org/user/54136
[5] http://drupal.org/user/1
[6] http://drupal.org/security-team

More information about the Security-news mailing list