Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-091
- Project: Mollom (third-party module)
- Version: 6.x
- Date: 2010-September-15
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Description
The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data (e.g., a user's plain-text password) might be logged through calls to Drupal's watchdog API.
This vulnerability is mitigated by the fact that this information would only be disclosed to users with access to view log messages, usually a role with the 'access site reports' permission or access to system syslog files, which should generally only be granted to trusted users.
Versions affected
- Mollom module for Drupal 6.x versions prior to 6.x-1.14
Mollom for Drupal 5.x is not affected, but the alpha Mollom release for Drupal 7.x is affected.
Drupal core is not affected. If you do not use the contributed Mollom module there is nothing you need to do.
Solution
Install the latest version:
- If you use the Mollom module for Drupal 6.x upgrade to the 6.x-1.14 version
See also the Mollom project page.
Reported by
Fixed by
- Daniel Kudwien (sun), module co-maintainer
- Dries, module co-maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
