Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-001

HistoryJan 04, 2012 - 12:00 a.m.

SA-CONTRIB-2012-001 - Registration Codes - Access bypass

2012-01-0400:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

70.1%

JSON

CVE: CVE-2012-1623

The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code.

The default module installation provides no access check for the registration code list, leading to a vulnerability that allows unauthenticated members to easily view the registration code list.

Versions affected

Registration Codes module for Drupal 6.x versions prior to 6.x-2.4

Drupal core is not affected. If you do not use the contributed Registration Codes module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Registration Codes module for Drupal 6.x upgrade to Registration codes 6.x-2.4 or later.

Reported by

Thomas Bonte (toemaz)

Fixed by

Aidan Lister (aidanlis), module maintainer

References

drupal.org/contact

drupal.org/node/877992

drupal.org/project/regcode

drupal.org/security-team

drupal.org/security/secure-configuration

drupal.org/user/19502

drupal.org/user/502018

drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

70.1%

JSON

Related for DRUPAL-SA-CONTRIB-2012-001