Drupal Realname User Reference Information Disclosure

`Information disclosure vulnerability in Drupal's Realname User Reference  
Widget contributed module (version 6.x-1.0)  
  
Discovered by Martin Barbella <[email protected]>  
  
Description of Vulnerability:  
-----------------------------  
Drupal is a free software package that allows an individual or a  
community of users to easily publish, manage and organize a wide variety  
of content on a website (http://drupal.org/about).  
  
The Realname CCK User Reference Widget module adds a new widget to the  
User Reference CCK field type that uses the Realnames for autocompletion  
(http://drupal.org/project/realname_userreference).  
  
Only the access content permission is needed to access the page which  
displays the user names and real names for users, used by the  
autocompletion widget, resulting in an information disclosure  
vulnerability.  
  
Systems affected:  
-----------------  
This has been confirmed in version 6.x-1.0 of the Realname User  
Reference Widget module.  
  
Impact:  
-------  
This would allow an attacker to collect user names for brute force  
attacks, or real names of users for targeted phishing.  
  
Mitigating factors:  
-------------------  
A user must have the access content permission to exploit this  
vulnerability, though in most cases even anonymous users would have this  
permission.  
  
Proof of concept:  
-----------------  
1. Install the module and its dependencies  
2. Configure Realname  
3. As any user with access content, visit  
realnameuserreference/autocomplete or  
realnameuserreference/autocomplete/<search terms>  
4. Note that real names and usernames can be gathered from the output  
  
Timeline:  
---------  
2010-02-01 - Drupal Security notified  
2010-02-16 - Still no response from Drupal Security  
2010-02-16 - Public disclosure  
`