------------PROJECT ISSUE TRACKING - ACCESS BYPASS------------
* Advisory ID: DRUPAL-SA-2007-012.
* Project: Project issue tracking (third-party module).
* Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*.
* Date: 2007-March-08.
* Security risk: Critical.
* Exploitable from: Remote.
* Vulnerability: Access bypass.
------------DESCRIPTION------------
If a remote user knows the node identifier of an issue that has been marked private using a node access module (simple_access, node_privacy_byrole, etc), they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access project issues" permission.
------------VERSIONS AFFECTED------------
* Project issue tracking 5.x-* before version 5.x-0.2-beta
* Project issue tracking 4.7.x-2.* before version 4.7.x-2.3
* Project issue tracking 4.7.x-1.* before version 4.7.x-1.3
Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* Project issue tracking 5.x-0.2-beta [
http://drupal.org//node/125835]
* Project issue tracking 4.7.x-2.3 [
http://drupal.org//node/125834]
* Project issue tracking 4.7.x-1.3 [
http://drupal.org//node/125833]
Revoking the "access project issues" permission for all roles that you do not trust with all of your private issue content provides an immediate work-around.
------------REPORTED BY------------
Gerhard Killesreiter (killes [
http://drupal.org/user/227]) of the Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].