- Advisory ID: DRUPAL-SA-CONTRIB-2014-051
- Project: Realname registration (third-party module)
- Version: 6.x, 7.x
- Date: 2014-05-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Description
This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names.
Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".
In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
- Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.
Drupal core is not affected. If you do not use the contributed Realname registration module, there is nothing you need to do.
Solution
- If you use the Realname Registration module for Drupal 6.x, upgrade to Realname Registration 6.x-2.0
- If you use the Realname Registration module for Drupal 7.x, upgrade to Realname Registration 7.x-2.0
Also see the Realname registration project page.
Reported by
Fixed by
- Steve Gerbino and Matt Corks, the module maintainers
Coordinated by
- Beth Binkovitz of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity