Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: Project issue tracking http://forum.scoutnet.be/viewtopic.php?f=19&t=1791 |
Pagina 1 van 1 |
Auteur: | To [ 12 Mrt 2007 20:14 ] |
Titel: | [Drupal] Security announcements: Project issue tracking |
------------PROJECT ISSUE TRACKING - ACCESS BYPASS------------ * Advisory ID: DRUPAL-SA-2007-012. * Project: Project issue tracking (third-party module). * Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*. * Date: 2007-March-08. * Security risk: Critical. * Exploitable from: Remote. * Vulnerability: Access bypass. ------------DESCRIPTION------------ If a remote user knows the node identifier of an issue that has been marked private using a node access module (simple_access, node_privacy_byrole, etc), they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access project issues" permission. ------------VERSIONS AFFECTED------------ * Project issue tracking 5.x-* before version 5.x-0.2-beta * Project issue tracking 4.7.x-2.* before version 4.7.x-2.3 * Project issue tracking 4.7.x-1.* before version 4.7.x-1.3 Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * Project issue tracking 5.x-0.2-beta [http://drupal.org//node/125835] * Project issue tracking 4.7.x-2.3 [http://drupal.org//node/125834] * Project issue tracking 4.7.x-1.3 [http://drupal.org//node/125833] Revoking the "access project issues" permission for all roles that you do not trust with all of your private issue content provides an immediate work-around. ------------REPORTED BY------------ Gerhard Killesreiter (killes [http://drupal.org/user/227]) of the Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |