SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

This module enables you to customise the standard Drupal registration and login processes.

Cross Site Scripting

The module doesn’t filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.

Access Bypass

The module introduces a concept of a “pre-authorized role” which can have different permissions than the normal Drupal core authorized role. Logintoboggan usually removes permissions for a user if those permissions are in the “authorized user” role and not in the “pre-authorized role”. The module failed to remove those permissions for users in a pre-authorized state on all “Page Not Found” (i.e. 404) pages.

This vulnerability is mitigated by the fact that a site must use the “pre-authorized role” feature and an attacker would only gain permissions available to authenticated users and would only gain them on 404 pages which do not show private information in a default Drupal installation.

CVE identifier(s) issued

• Access Bypass: CVE-2014-9361 * Cross Site Scripting:CVE-2014-9364

Versions affected

• Logintoboggan 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Logintoboggan module for Drupal 7.x, upgrade to Logintoboggan 7.x-1.4

Also see the LoginToboggan project page.

Reported by

• Mark Mahon
• Joel Walters

Fixed by

• Steve Cowie the module maintainer
• Dan Smith of the Drupal Security Team
• Joel Walters
• Mark Davies

Coordinated by

• Dan Smith of the Drupal Security Team