Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Views Bulk Operations
http://forum.scoutnet.be/viewtopic.php?f=19&t=2242
Pagina 1 van 1

Auteur:  jorisp [ 20 Mei 2009 21:43 ]
Titel:  [Drupal] Security announcements: Views Bulk Operations

* Advisory ID: DRUPAL-SA-CONTRIB-2009-029
* Project: Views Bulk Operations (third-party module)
* Version: 5.x, 6.x
* Date: 2009-May-20
* Security risk: Medium
* Exploitable from: Remote
* Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

Views Bulk operations allows registered procedures (called actions) to be applied on a result set of Drupal nodes, returned by the Views module. Through the Views Bulk Operations interface, it is possible to let users who are not authorized to update specific nodes or classes of nodes, to still apply actions that modify these nodes, thereby violating user permissions.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Views Bulk Operations 5.x-1.x prior to 5.x-1.4
* Views Bulk Operations 6.x-1.x prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Views Bulk Operations module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Views Bulk Operations 5.x-1.x upgrade to Views Bulk Operations
5.x-1.4 [1]
* If you use Views Bulk Operations 6.x-1.x upgrade to Views Bulk Operations
6.x-1.7 [2]
See also the Views Bulk Operations project page [3].
-------- REPORTED BY
---------------------------------------------------------

Shawn McElroy (bigmack83) [4]
-------- FIXED BY
------------------------------------------------------------

Karim Ratib (kratib) [5]
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.


[1] http://drupal.org/node/468374
[2] http://drupal.org/node/468366
[3] http://drupal.org/project/views_bulk_operations
[4] http://drupal.org/user/248940
[5] http://drupal.org/user/48424

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/