[IT-SecNots] [Security-news] SA-CONTRIB-2014-057 - Password policy - General logic error

[security-news AT drupal.org]

View online: https://drupal.org/node/2271839

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-057
   * Project: Password policy [1] (third-party module)
   * Version: 7.x
   * Date: 2014-May-21
   * Security risk: Moderately critical [2]
   * Exploitable from: Remote
   * Vulnerability: General logic error

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to define password policies with various constraints
on allowable user passwords. The history constraint, when enabled, disallows
a user's password from being changed to match a specified number of their
previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect
when enabled, and user passwords could be changed to match any previous
passwords beyond the most recent. Therefore, passwords of users that were
changed since Password Policy 7.x-1.4 or later was installed may match
previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users
covered by a password policy with the history constraint enabled.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password
policy [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

   1) Install the latest version:
       * If you use the Password policy module for Drupal 7.x, upgrade to
         Password policy 7.x-1.6 [5]

   2) Force a password change for all users covered by a password policy with
      the history constraint enabled.

Also see the Password policy [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * AohRveTPV [7]

-------- FIXED BY
------------------------------------------------------------

   * Alberto García Lamela [8]

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]


[1] http://drupal.org/project/password_policy
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/password_policy
[5] https://drupal.org/node/2271835
[6] http://drupal.org/project/password_policy
[7] https://drupal.org/user/2760115
[8] https://drupal.org/user/1205082
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news