• Advisory ID: DRUPAL-SA-CONTRIB-2014-051
  • Project: Realname registration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-05-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

Description

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names.

Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
  • Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.

Drupal core is not affected. If you do not use the contributed Realname registration module, there is nothing you need to do.

Solution

Also see the Realname registration project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity