Date
Severity
Moderately Critical
Vulnerability
Cross-Site Request Forgery
Affected versions
<7.x-1.3

Description

The Friendly Register module provides real-time username and email availability checks on the user registration form via the AJAX endpoints "ajax/check-user" and "ajax/check-email", both registered with 'access callback' => TRUE.

The module does not validate a CSRF token on these endpoints, allowing an attacker to make direct or cross-origin requests to enumerate whether specific usernames or email addresses are registered on the site.

This vulnerability is mitigated by the fact that the module's flood control limits the number of requests per IP address, and the information disclosed (username/email existence) does not by itself grant access to accounts.

Solution

Install the latest version.

If you use the Friendly Register module for Drupal 7, upgrade to friendly_register 7.x-1.3:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES