Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 14:29

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 20 Aug 2007 18:51 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------PROJECT AND PROJECT ISSUE TRACKING - ACCESS BYPASS ------------

* Advisory ID: DRUPAL-SA-2007-020.
* Project: Project and Project issue tracking (third-party modules)
* Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*
* Date: 2007-Aug-20
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Access bypass

------------DESCRIPTION------------

The Project [ http://drupal.org//project/project ] and Project issue tracking [ http://drupal.org//project/project_issue ] modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire project or issue itself, the titles (and teasers) of projects and issues can be viewed if a project or issue is promoted to the front page, via the tracker module and the "Recent posts" page, and so on. In certain places, project names are disclosed for users that do not have access to those projects. The issue statistics pages also include infomation about issues and projects that the user does not have permission to view. Finally, if users can discover or guess the node identifier for a project they do not have access to, they can view CVS activity about that project.

------------VERSIONS AFFECTED------------

* 5.x-*:
* Project before version 5.x-1.0
* Project issue tracking before version 5.x-1.0
* 4.7.x-2.*:
* Project before version 4.7.x-2.3
* Project issue tracking before version 4.7.x-2.4
* 4.7.x-1.*:
* Project before version 4.7.x-1.3
* Project issue tracking before version 4.7.x-1.4

Drupal core is not affected. If you do not use the contributed Project or Project issue tracking modules, there is nothing you need to do. Furthermore, if your site is using these modules but provides full read access to projects and issues (by granting 'access projects' and 'access project issues' permission to both anonymous and authenticated users) there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* 5.x-*:
* Project 5.x-1.0 [ http://drupal.org//node/168769 ]
* Project issue tracking 5.x-1.0 [ http://drupal.org//node/168773 ]
* 4.7.x-2.*:
* Project 4.7.x-2.3 [ http://drupal.org//node/168768 ]
* Project issue tracking 4.7.x-2.4 [ http://drupal.org//node/168772 ]
* 4.7.x-1.*:
* Project 4.7.x-1.3 [ http://drupal.org//node/168765 ]
* Project issue tracking 4.7.x-1.4 [ http://drupal.org//node/168771 ]

------------REPORTED BY------------

Derek Wright (dww [ http://drupal.org/user/46549 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 12 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.