------------SECURE SITE - ACCESS BYPASS------------
* Advisory ID: DRUPAL-SA-2007-010
* Project: Secure site (third-party module)
* Version: 4.7, 5
* Date: 2007-Feb-16
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Access bypass
------------DESCRIPTION------------
Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users.
A serious design flaw allows the access restriction to be bypassed by adding a certain string to a URL. Normal Drupal user account permissions are still in effect, but the module's protection is negated.
------------VERSIONS AFFECTED------------
* Secure site 4.7.x-1.x-dev
* Secure site 5.x-1.x-dev
Drupal core is not affected. If you do not use the contributed Secure site module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* Secure site 4.7.x-1.0 [
http://drupal.org/node/119614].
* Secure site 5.x-1.0 [
http://drupal.org/node/119613].
See also the Secure site project page [
http://drupal.org/project/securesite].
------------REPORTED BY------------
Steven Wittens.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].