Vigil@nce - Drupal Bad Behavior: getting secrets from log files
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can get user names and passwords from the log
files of Drupal Bad Behavior.
Impacted products: Drupal Modules
Severity: 2/4
Creation date: 23/10/2014
DESCRIPTION OF THE VULNERABILITY
The Bad Behavior module can be installed on Drupal.
This modules logs some submitted user names and associated
passwords. So a user who has administration rights for this module
can get these credentials.
An attacker can therefore read the log files of Drupal Bad
Behavior, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Bad-Behavior-getting-secrets-from-log-files-15523