Project
Date
Severity
Moderately Critical
Vulnerability
Access bypass
Affected versions
< 7.x-1.2
Description
The Access code module enables users to log in using a short access code instead of providing a username/password combination.
The module doesn't sufficiently protect against brute force attacks to guess a user's access code.
This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:
- disabling the access code login method for critical accounts
- monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)
Solution
Install the latest version.
Reported by
- Marcin Maruszewski (marcin maruszewski)
Fixed by
- Gergely Lekli (glekli)
- Tag1 D7ES
Coordinated by
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Tag1 D7ES