SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities

Registration codes module allows new account registrations only for users who provide a valid registration code.

The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities.

Additionally, some URLs were not protected against CSRF, a malicious user can cause an administrator to delete rules (7.x-1-x , 6.x-1.x and 6.x-2.x) and registration codes (6.x-1.x only) by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerabilities may be mitigated by the fact that an attacker must have a user allowed to create/edit taxonomy terms or nodes.

CVE identifier(s) issued

• Cross Site Scripting: CVE-2015-4359 * Cross Site Request Forgery leading to deletion of rules:CVE-2015-4360 * Cross Site Request Forgery leading to deletion of registration codes:**CVE-2015-4361 **

Versions affected

• Registration codes 6.x-1.x versions prior to 6.x-1.6
• Registration codes 6.x-2.x versions prior to 6.x-2.8
• Registration codes 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

• If you use the Registration codes module for Drupal 6.x, upgrade to Registration codes 6.x-1.6 or Registration codes 6.x-2.8
• If you use the Registration codes module for Drupal 7.x, upgrade to Registration codes 7.x-1.2

Reported by

• Pere Orga of the Drupal Security Team
• Ayesh Karunaratne

Fixed by

• Ayesh Karunaratne

Coordinated by

• Pere Orga of the Drupal Security Team