Vigil@nce - Drupal Password Policy: multiple vulnerabilities
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Drupal Password
Policy.
Impacted products: Drupal Modules
Severity: 2/4
Creation date: 19/06/2014
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Drupal Password Policy.
After a migration to version 7, when user’s password has to be
renewed, a user can reuse his old password. [severity:2/4]
After a migration to version 7, MD5 hashed passwords are kept
indefinitely, which may ease a future brute force. [severity:1/4]
When the user_save() function is called before the user has
changed his password, he is not forced to change it anymore.
[severity:2/4]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Password-Policy-multiple-vulnerabilities-14917