Scoutnet vzw :: Bekijk onderwerp - [Drupal] Security announcements: Project and Project issue

Scoutnet vzw http://forum.scoutnet.be/

[Drupal] Security announcements: Project and Project issue http://forum.scoutnet.be/viewtopic.php?f=19&t=1930	Pagina 1 van 1

Auteur:	To [ 20 Aug 2007 18:51 ]
Titel:	[Drupal] Security announcements: Project and Project issue
------------PROJECT AND PROJECT ISSUE TRACKING - ACCESS BYPASS ------------ * Advisory ID: DRUPAL-SA-2007-020. * Project: Project and Project issue tracking (third-party modules) * Version: 4.7.x-1., 4.7.x-2., 5.x-0.* * Date: 2007-Aug-20 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Access bypass ------------DESCRIPTION------------ The Project [ http://drupal.org//project/project ] and Project issue tracking [ http://drupal.org//project/project_issue ] modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire project or issue itself, the titles (and teasers) of projects and issues can be viewed if a project or issue is promoted to the front page, via the tracker module and the "Recent posts" page, and so on. In certain places, project names are disclosed for users that do not have access to those projects. The issue statistics pages also include infomation about issues and projects that the user does not have permission to view. Finally, if users can discover or guess the node identifier for a project they do not have access to, they can view CVS activity about that project. ------------VERSIONS AFFECTED------------ * 5.x-: Project before version 5.x-1.0 * Project issue tracking before version 5.x-1.0 * 4.7.x-2.: Project before version 4.7.x-2.3 * Project issue tracking before version 4.7.x-2.4 * 4.7.x-1.: Project before version 4.7.x-1.3 * Project issue tracking before version 4.7.x-1.4 Drupal core is not affected. If you do not use the contributed Project or Project issue tracking modules, there is nothing you need to do. Furthermore, if your site is using these modules but provides full read access to projects and issues (by granting 'access projects' and 'access project issues' permission to both anonymous and authenticated users) there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * 5.x-: Project 5.x-1.0 [ http://drupal.org//node/168769 ] * Project issue tracking 5.x-1.0 [ http://drupal.org//node/168773 ] * 4.7.x-2.: Project 4.7.x-2.3 [ http://drupal.org//node/168768 ] * Project issue tracking 4.7.x-2.4 [ http://drupal.org//node/168772 ] * 4.7.x-1.: Project 4.7.x-1.3 [ http://drupal.org//node/168765 ] * Project issue tracking 4.7.x-1.4 [ http://drupal.org//node/168771 ] ------------REPORTED BY------------ Derek Wright (dww [ http://drupal.org/user/46549 ]) of the Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1	Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/