By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-092
  • Project: Misery (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-November-13
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery actions should be sufficiently subtle so as to avoid suspicion.

The module doesn't sufficiently warn about issues that can arise if high values are set on the "delay misery" configuration, which is active by default. Users who are made to suffer "delay missery" can make multiple requests to the site and consume all the web serving processes, causing a denial of service.

This vulnerability is mitigated by the fact that an administrator can change these configuration values on a per user basis within the interface. The option can also be turned off.

CVE identifier(s) issued

  • CVE-2013-4599

Versions affected

  • Misery 6.x-2.x versions prior to 6.x-2.5.
  • Misery 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Misery module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Misery module for Drupal 6.x, upgrade to Misery 6.x-2.5
  • If you use the Misery module for Drupal 7.x, upgrade to Misery 7.x-2.2

And check your misery delay configuration.

Also see the Misery project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Drupal 6.x, Drupal 7.x