[Security-news] SA-CONTRIB-2014-070 - Password Policy - Access Bypass

security-news at drupal.org security-news at drupal.org
Wed Jul 16 17:39:40 UTC 2014


View online: https://www.drupal.org/node/2304213

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-070
   * Project: Password Policy [1] (third-party module)
   * Version: 6.x, 7.x
   * Date: 2014-July-16
   * Security risk: Less critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

The Password Policy module enables you to define and enforce password
policies with various constraints on allowable user passwords.

.... Access Bypass (7.x only)

Password Policy has a Password Change Tab submodule which provides a tab for
a user to change their password.  Password Policy also has a history
constraint which disallows a user from changing their password to one of a
specified number of their previous passwords.

When the Password Change Tab module and the history constraint are both
enabled, password history will not be stored for a user who changes their
password using the password tab.  This will allow the user to change their
password to one of their previous passwords in violation of the history
constraint.

This vulnerability is mitigated by the fact that it only exists when both the
Password Change Tab module and the history constraint are enabled.

.... Access Bypass (6.x and 7.x)

Password Policy has a feature that allows an administrator to force one or
more users to change their password at their next login.  Under certain
circumstances, the users may not actually be forced to change their
passwords.

Specifically, if between the time the administrator flags a user for a forced
password change and the time that user logs in, an update operation is
programmatically performed on the user, the user will be no longer be flagged
for a forced password change.  For instance, executing the Drush command
drush user-add-role to add a role to a user who is flagged for a password
change would cause that user to no longer be forced to change their password.

This vulnerability is mitigated by the fact that it only affects users for
whom an administrator has forced a password change.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Password Policy 6.x-1.x versions prior to 6.x-1.8.
   * Password Policy 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Password
Policy [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

   1) Install the latest version:
       * If you use the Password Policy module for Drupal 6.x, upgrade to
         Password Policy 6.x-1.8 [5]
       * If you use the Password Policy module for Drupal 7.x, upgrade to
         Password Policy 7.x-1.9 [6]

   2) Force users who may have been affected by the force password change
      vulnerability to change their passwords.

Also see the Password Policy [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * AohRveTPV [8]

-------- FIXED BY
------------------------------------------------------------

   * AohRveTPV [9] the module maintainer
   * Fabio Epifani [10]

-------- COORDINATED BY
------------------------------------------------------

   * Michael Hess [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] https://www.drupal.org/project/password_policy
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/password_policy
[5] https://www.drupal.org/node/2303857
[6] https://www.drupal.org/node/2303845
[7] https://www.drupal.org/project/password_policy
[8] http://drupal.org/user/2760115
[9] http://drupal.org/user/2760115
[10] http://drupal.org/user/2840771
[11] https://www.drupal.org/u/mlhess
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity



More information about the Security-news mailing list