Description
The Basic HTTP Authentication module allows site administrators to protect Drupal paths with HTTP Basic Authentication by storing username/password pairs in a custom database table.
The module stored passwords as plaintext and included them verbatim in a hidden HTML "value" attribute on the admin form at "admin/config/system/basic-auth", meaning any administrator who could view that page's source or any script running in that context could read all configured credentials. Additionally, the stored plaintext passwords would be fully exposed in the event of a database breach or backup disclosure.
This vulnerability is mitigated by the fact that exploitation of the HTML exposure requires administrator-level access to the Drupal site, and exploitation of the database exposure requires read access to the database.
Solution
Install the latest version.
If you use the Basic HTTP Authentication module for Drupal 7, upgrade to basic_auth 7.x-1.5:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES