Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 16:46

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 12 Mrt 2007 20:14 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------PROJECT ISSUE TRACKING - ACCESS BYPASS------------

* Advisory ID: DRUPAL-SA-2007-012.
* Project: Project issue tracking (third-party module).
* Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*.
* Date: 2007-March-08.
* Security risk: Critical.
* Exploitable from: Remote.
* Vulnerability: Access bypass.

------------DESCRIPTION------------

If a remote user knows the node identifier of an issue that has been marked private using a node access module (simple_access, node_privacy_byrole, etc), they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access project issues" permission.

------------VERSIONS AFFECTED------------

* Project issue tracking 5.x-* before version 5.x-0.2-beta
* Project issue tracking 4.7.x-2.* before version 4.7.x-2.3
* Project issue tracking 4.7.x-1.* before version 4.7.x-1.3

Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* Project issue tracking 5.x-0.2-beta [http://drupal.org//node/125835]
* Project issue tracking 4.7.x-2.3 [http://drupal.org//node/125834]
* Project issue tracking 4.7.x-1.3 [http://drupal.org//node/125833]

Revoking the "access project issues" permission for all roles that you do not trust with all of your private issue content provides an immediate work-around.

------------REPORTED BY------------

Gerhard Killesreiter (killes [http://drupal.org/user/227]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Bing [Bot] en 5 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.