Drupal Password Policy Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

Bugtraq ID:	51385
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 11 2012 12:00AM
Updated:	Jan 11 2012 12:00AM
Credit:	Greg Knaddison
Vulnerable:	Drupal Password Policy 6.X-1.X
Not Vulnerable:	Drupal Password Policy 6.X-1.4

Drupal Password Policy Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

The Password Policy module for Drupal is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.

An attacker can exploit the cross-site request-forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.

The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.

Password Policy versions 6.x-1.x prior to 6.x-1.4 are vulnerable.

Drupal Password Policy Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

An attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.

Drupal Password Policy Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for details.

Drupal Password Policy Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

References:

• Drupal Homepage (Drupal)
  
• Password policy Homepage (Drupal)
  
• SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities (Drupal)