- Advisory ID: DRUPAL-SA-CONTRIB-2014-069
- Project: LoginToboggan (third-party module)
- Version: 7.x
- Date: 2014-July-09
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Access bypass
Description
This module enables you to customise the standard Drupal registration and login processes.
Cross Site Scripting
The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.
Access Bypass
The module introduces a concept of a "pre-authorized role" which can have different permissions than the normal Drupal core authorized role. Logintoboggan usually removes permissions for a user if those permissions are in the "authorized user" role and not in the "pre-authorized role". The module failed to remove those permissions for users in a pre-authorized state on all "Page Not Found" (i.e. 404) pages.
This vulnerability is mitigated by the fact that a site must use the "pre-authorized role" feature and an attacker would only gain permissions available to authenticated users and would only gain them on 404 pages which do not show private information in a default Drupal installation.
CVE identifier(s) issued
- Access Bypass: CVE-2014-9361
- Cross Site Scripting: CVE-2014-9364
Versions affected
- Logintoboggan 7.x-1.x versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Logintoboggan module for Drupal 7.x, upgrade to Logintoboggan 7.x-1.4
Also see the LoginToboggan project page.
Reported by
Fixed by
- Steve Cowie the module maintainer
- Dan Smith of the Drupal Security Team
- Joel Walters
- Mark Davies
Coordinated by
- Dan Smith of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity