Drupal Security TeamDRUPAL-SA-CONTRIB-2012-159SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.005 Low
EPSS
Percentile
75.8%
This module provides a way to specify a certain level of password complexity (aka. “password hardening”) for user passwords on a system by defining a password policy.
The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user’s HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption.
This issue only affects sites that use the module’s “previous passwords” feature, and fail to encrypt their users’ HTTP transactions with SSL/TLS.
CVE: CVE-2012-5552
Versions affected
- Password policy 6.x-1.x versions prior to 6.x-1.5.
- Password policy 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.5
- If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.3
Also see the Password policy project page.
Reported by
Fixed by
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Damien Tournoud of the Drupal Security Team
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.005 Low
EPSS
Percentile
75.8%