SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities

This module enables you to specify a certain level of password complexity (aka. “password hardening”) for user passwords on a system by defining a policy.

Cross Site Request Forgery (CSRF)

CVE: CVE-2012-1633

Unblocking a user does not require sufficient confirmation by administrative users and can be exploited with a specially crafted URL.

Cross Site Scripting (XSS)

CVE: CVE-2012-1632

The module doesn’t sufficiently sanitize the name of password policies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer policies”.

This issue also affects the 7.x branch which is only in beta release. Users of non-stable releases are encouraged to upgrade frequently as those releases are not covered by the Drupal Security Team policy.

Versions affected

• Password Policy 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Password Policy module for Drupal 6.x, upgrade to Password Policy 6.x-1.4.

Clear the site’s cache:
visit Administer > Site Configuration > Performance and click “Clear cached data.”

See also the Password policy project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• Erik Webb the module co-maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team