customize

You are here

myDropWizard.com: Drupal 6 version of netFORUM Authentication not affected by SA-CONTRIB-2017-077

Error message

User error: Failed to connect to memcache server: localhost:11212 in dmemcache_object() (line 415 of /home/freedrup/public_html/demo/d7/sites/all/modules/memcache/dmemcache.inc).

Today, there was a Moderately Critical security advisory for an Access Bypass vulnerability in the netFORUM Authentication module for Drupal 7:

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The module was bypassing protections on the Drupal 7 user login form, to deter brute force attempts to login to the site, and so was an Access Bypass vulnerability by making login less secure when using this module.

However, Drupal 6 (including Pressflow 6) don't have these same protections for the user login form, and so, using this module is no less secure than using vanilla Drupal 6. Of course, these protections could be added to this module, and while this would be great security hardening, this doesn't represent a vulnerability - only a weakness which is also present (and widely known) in Drupal 6 core.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Source: 
https://www.mydropwizard.com/blog/drupal-6-version-netforum-authentication-not-affected-sa-contrib-2017-077