------------SA-2007-030 - DRUPAL CORE - API HANDLING OF UNPUBLISHED COMMENT. ------------
* Advisory ID: DRUPAL-SA-2007-030
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2007-October-17
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Access bypass
------------DESCRIPTION------------
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.
------------VERSIONS AFFECTED------------
* Drupal 4.7.x before version 4.7.8
* Drupal 5.x before version 5.3.
------------SOLUTION------------
Install the latest version:
* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8 [
http://ftp.drupal.org/files/projects/dr ... 7.8.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.3 [
http://ftp.drupal.org/files/projects/drupal-5.3.tar.gz ].
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
* To patch Drupal 4.7.x use SA-2007-030-4.7.7.patch [
http://drupal.org/files/sa-2007-030/SA- ... .7.7.patch ].
* To patch Drupal 5.2 use SA-2007-030-5.2.patch [
http://drupal.org/files/sa-2007-030/SA- ... -5.2.patch ].
------------REPORTED BY------------
The Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ]