Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module doesn’t support other contributed user authentication modules like CAS or URL Login. When combined with those modules, the protection preventing a user from logging in does not work.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if they do not have permission to login.

CVE identifier(s) issued

• CVE-2015-8082

Versions affected

• Login Disable 6.x-1.x versions prior to 6.x-1.1.
• Login Disable 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Disable module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Login Disable module for Drupal 6.x, upgrade to Login Disable 6.x-1.1
• If you use the Login Disable module for Drupal 7.x, upgrade to Login Disable 7.x-1.2

Also see the Login Disable project page.

Reported by

• Gunnar Mathisen

Fixed by

• Bryan Heisler
• Brian Gilbert the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team