SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities

Login Security module adds additional access controls to the login form of Drupal.

When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service.

It is possible to bypass Login Security features when soft blocking is disabled or when the attacker has an account on the site. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks.

CVE identifier(s) issued

• CVE-2013-2197: When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service.
• CVE-2013-2198: It is possible to bypass Login Security features when soft blocking is disabled. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks.

Versions affected

• Login Security 6.x-1.x versions prior to 6.x-1.2.
• Login Security 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Security module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Login Security module for Drupal 6.x, upgrade to Login Security 6.x-1.3
• If you use the Login Security module for Drupal 7.x, upgrade to Login Security 7.x-1.3

Also see the Login Security project page.

Reported by

• David Stoline and Heine Deelstra of the Drupal Security Team

Fixed by

• David Norman the module maintainer
• Chris Yu

Coordinated by

• David Stoline of the Drupal Security Team