[IT-SecNots] [Security-news] Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-077

Project: Password Policy [1]
Version: 7.x-1.x-dev
Date: 2018-December-05
Security risk: *Less critical* 9∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Denial of Service

Description: 
The Password Policy module makes it possible to set constraints on user
passwords which disallow certain passwords.

The "digit placement" constraint is vulnerable to Denial of Service attacks
if an attacker submits specially crafted passwords which can cause a site to
become unresponsive.

This vulnerability is mitigated by the fact that a site must have the "digit
placement" constraint enabled.

Solution: 
Install the latest version:

  * If you use the Password Policy module for Drupal 7.x, upgrade to Password
    Policy 7.x-1.16 [3]

Reported By: 
  * Michael Sherron  [4]

Fixed By: 
  * AohRveTPV  [5]

Coordinated By: 
  * Greg Knaddison [6] of the Drupal Security Team
  * David Snopek [7] of the Drupal Security Team


[1] https://www.drupal.org/project/password_policy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/password_policy/releases/7.x-1.16
[4] https://www.drupal.org/user/470070
[5] https://www.drupal.org/user/2760115
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/dsnopek

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news