[Security-news] SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Jun 18 16:33:52 UTC 2014 

View online: https://drupal.org/node/2288341

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-062
   * Project: Password policy [1] (third-party module)
   * Version: 6.x, 7.x
   * Date: 2014-June-18
   * Security risk: Moderately critical [2]
   * Exploitable from: Remote
   * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

The Password Policy module enables you to define and enforce password
policies with various constraints on allowable user passwords.

.... Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's
password from being changed to match a specified number of their previous
passwords.  For this to work, the module stores a history of all previous
user password hashes from the time the module is enabled (regardless of
whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from
the Drupal 6 format to the Drupal 7 format.  This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in
violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as
weak MD5 hashes.  If a site is compromised, past user passwords are at high
risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that
have previously used 6.x are affected.

.... Access bypass (6.x)

The module has a feature that lets an administrator force a password change
for one or more users at their next login. These users are unable to access
the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a
user_save() is performed between the time when the administrator forces the
password change and the time the affected user logs in. This can lead to
users retaining insecure passwords.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Password Policy 6.x-1.x versions prior to 6.x-1.7.
   * Password Policy 7.x-1.x versions prior to 7.x-1.7.
   * Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password
policy [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Warning: If you are using 7.x, and have used 6.x in the past on the same
site, you are advised to back up your database prior to upgrading to the
latest version to reduce the risk of an unforeseen upgrade problem causing
permanent loss of password history.

Install the latest version:

   * If you use the Password Policy module for Drupal 6.x, upgrade to  6.x-1.7
     [5]
   * If you use the Password Policy 1.x module for Drupal 7.x, upgrade to
     7.x-1.7 [6]
   * If you use the Password Policy 2.x module for Drupal 7.x, upgrade to
     7.x-2.0-alpha2 [7]

Also see the Password policy [8] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Ryan Courtnage [9]
   * AohRveTPV [10] the module maintainer

-------- FIXED BY
------------------------------------------------------------

   * Ryan Courtnage [11]
   * AohRveTPV [12] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [13] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].

Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]


[1] http://drupal.org/project/password_policy
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/password_policy
[5] https://drupal.org/node/2287973
[6] https://drupal.org/node/2287985
[7] https://drupal.org/node/2287991
[8] http://drupal.org/project/password_policy
[9] http://drupal.org/u/ryan_courtnage
[10] http://drupal.org/u/aohrvetpv
[11] http://drupal.org/u/ryan_courtnage
[12] http://drupal.org/u/aohrvetpv
[13] https://drupal.org/u/greggles
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity

More information about the Security-news mailing list