- Advisory ID: DRUPAL-SA-CONTRIB-2015-162
- Project: Login Disable (third-party module)
- Version: 6.x, 7.x
- Date: 2015-November-04
- Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
- Vulnerability: Access bypass
Description
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module doesn’t support other contributed user authentication modules like CAS or URL Login. When combined with those modules, the protection preventing a user from logging in does not work.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if they do not have permission to login.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Login Disable 6.x-1.x versions prior to 6.x-1.1.
- Login Disable 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Login Disable module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Login Disable module for Drupal 6.x, upgrade to Login Disable 6.x-1.1
- If you use the Login Disable module for Drupal 7.x, upgrade to Login Disable 7.x-1.2
Also see the Login Disable project page.
Reported by
Fixed by
- Bryan Heisler
- Brian Gilbert the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity