Date:
Friday, Sep 8th, 2017
Advisory ID:
BACKDROP-SA-CONTRIB-2017-010
Security risk:
Moderately Critical
Vulnerability:
Denial of Service
Versions affected:
- CAPTCHA 1.x-1.x versions prior to 1.x-1.3.5.
Backdrop core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.
Description:
The Captcha module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.
The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.
This vulnerability is mitigated by the fact that Backdrop does not give a session to all visitors, especially when used with advanced caching systems like Varnish.
Solution:
- If you use the CATPCHA module for Backdrop, upgrade to CAPTCHA 1.x-1.x-1.3.5.
Reported By:
Fixed By:
- Fabiano Sant'Ana, the Drupal module's maintainer
- Herb v/d Dool, the Backdrop module's maintainer
Coordinated By:
- Geoff St Pierre of the Backdrop CMS Security Team
- Lee Rowlands of the Drupal Security Team.
- Damien McKenna of the Drupal Security Team.