------------SA-2008-025 - SIMPLE ACCESS - ACCESS BYPASS------------
* Advisory ID: DRUPAL-SA-2008-025
* Project: Simple access (third-party module)
* Version: 5.x-1.*
* Date: 2008-April-09
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Access bypass
------------DESCRIPTION------------
The Simple Access module is a node access module that allows administrators to make some nodes private and/or editable by certain user roles.
The module contains a flaw that results in the privacy information for a node being lost under certain conditions. These conditions are usually triggered via the interaction with other modules, such as Node clone [
http://drupal.org/project/node_clone ] or Project issue tracking [
http://drupal.org/project/project_issue ].
------------VERSIONS AFFECTED------------
* Simple access for Drupal 5.x up to and including version 5.x-1.2-2
Drupal core is not affected. If you do not use the contributed Simple access module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version: Simple access 5.x-1.3 [
http://drupal.org/node/244565 ]
See also the Simple access project page [
http://drupal.org/project/simple_access ].
------------REPORTED BY------------
Derek Wright [
http://drupal.org/user/46549 ] of the Drupal Security Team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].