- Advisory ID: DRUPAL-SA-2007-015
- Project: Forward (third-party module)
- Version: 5.x and 4.7.x
- Date: 2007-July-09
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Forward module is a module that allows site administrators to add links to postings that let users email the current page to a third party. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control, Taxonomy Access Lite, etc.
Versions affected
- Forward for Drupal 5.x before 5.x-1.0
- Forward for Drupal 4.7.x before 4.7-1.1
Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.
Solution
Install the latest version:
See also the Forward project page.
Reported by
Drupal Security Team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.