Description
The Login One Time module provides one-time login links for user authentication. The module's login_one_time_page()`function previously lacked flood control protection, allowing attackers to make unlimited attempts to guess valid one-time login link parameters (UID, timestamp, and hashed password).
Without flood control, attackers could:
- Attempt to brute force valid one-time login links
- Perform timing attacks to guess valid parameters
- Exhaust server resources through repeated requests
- Potentially discover valid user accounts through response analysis
This vulnerability is mitigated by the complexity of guessing valid one-time login parameters and the requirement to know or guess valid user IDs. However, the lack of rate limiting creates a potential attack vector that could be exploited with sufficient computational resources.
Solution
Install the latest version.
If you use the Login One Time module for Drupal 7, upgrade to login_one_time 7.x-2.11:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES