You are here

V-186: Drupal Login Security Module Security Bypass and Denial of Service Vulnerability

June 26, 2013 - 1:28am

Addthis

PROBLEM:

Drupal Login Security Module Security Bypass and Denial of Service Vulnerability

PLATFORM:

Login Security 6.x-1.x versions prior to 6.x-1.2.
Login Security 7.x-1.x versions prior to 7.x-1.2.

ABSTRACT:

A security issue and a vulnerability have been reported in the Login Security module for Drupal

REFERENCE LINKS:

Advisory ID: DRUPAL-SA-CONTRIB-2013-053
Secunia Advisory SA53717
CVE-2013-2197
CVE-2013-2198

IMPACT ASSESSMENT:

Medium

DISCUSSION:

1) The security issue is caused due to an unspecified error and can be exploited to bypass the module features.
Successful exploitation requires the "soft blocking" feature to be disabled.

2) The vulnerability is caused due to an error within the delay feature and can be exploited to consume all web server instances via multiple failed login attempts.

IMPACT:

Drupal Login Security Module can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

SOLUTION:

The vendor has issued a fix.

Addthis