[Security-news] SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure

security-news at drupal.org security-news at drupal.org
Wed May 14 16:59:47 UTC 2014


View online: https://drupal.org/node/2267481

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-051
   * Project: Realname registration [1] (third-party module)
   * Version: 6.x, 7.x
   * Date: 2014-05-14
   * Security risk: Moderately critical [2]
   * Exploitable from: Remote
   * Vulnerability: Information Disclosure

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to generate usernames based on fields filled out by
the user during registration. The module doesn't sufficiently restrict access
to the settings for determining which user fields are incorporated into
usernames, and doesn't properly validate generated user names.

Any user with the "access administration pages" permission can change which
fields are used to generate this name. This may publicly expose user profile
fields intended to be kept private. This vulnerability is mitigated by the
fact that an attacker must have a role with the permission "access
administration pages".

In addition, generated user names are not passed through the core function
user_validate_name(). This vulnerability is mitigated by the fact that it
only impacts custom modules or themes which do not properly filter usernames
through check_plain() before displaying them.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
   * Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.

Drupal core is not affected. If you do not use the contributed Realname
registration [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

   * If you use the Realname Registration module for Drupal 6.x, upgrade to
     Realname Registration 6.x-2.0 [5]
   * If you use the Realname Registration module for Drupal 7.x, upgrade to
     Realname Registration 7.x-2.0 [6]

Also see the Realname registration [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Matt Corks [8]

-------- FIXED BY
------------------------------------------------------------

   * Steve Gerbino [9] and Matt Corks [10], the module maintainers

-------- COORDINATED BY
------------------------------------------------------

   * Beth Binkovitz [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] http://drupal.org/project/realname_registration
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/realname_registration
[5] https://drupal.org/node/2267419
[6] https://drupal.org/node/2267429
[7] http://drupal.org/project/realname_registration
[8] http://drupal.org/user/15016
[9] http://drupal.org/user/877974
[10] http://drupal.org/user/15016
[11] http://drupal.org/user/161263
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity



More information about the Security-news mailing list