Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
  • Date: Wed, 27 Jun 2018 18:24:40 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2018-042

Project: Generate Password [1]
Version: 7.x-1.x-dev
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness

Description: 
The Genpass module makes the password field optional (or hidden) on the add
new user page (admin & registration). If the password field is not set during
registration, the system generates a password.

The module doesn't use a strong source of randomness, creating weak and
predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured
to reveal the password to the attacker which is a common configuration.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

Solution: 
Install the latest version:

* If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass
7.x-1.1 [4]

Also see the Generate Password [5] project page.

Reported By: 
* Greg Knaddison [6] of the Drupal Security Team

Fixed By: 
* Joel Stein [7] a module maintainer

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/genpass
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/genpass/releases/7.x-1.1
[5] https://www.drupal.org/project/genpass
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/36598
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042, security-news, 27.06.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang