Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2012-116
- Project: Subuser (third-party module)
- Version: 6.x
- Date: 2012-July-25
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery
Description
The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created.
A parent user is allowed to assume the role of a subuser they created (switch users) without having the "switch subuser" permission. However, users are prevented from switching to subusers that were not created by them. Additionally users can be switched to a subuser without intending to do so via a Cross Site Request Forgery attack (CSRF).
CVE: Requested
Versions affected
- subuser 6.x-1.x versions prior to 6.x-1.8.
Drupal core is not affected. If you do not use the contributed Subuser module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Subuser module for Drupal 6.x, upgrade to Subuser 6.x-1.8
Also see the Subuser project page.
Reported by
- Stella Power of the Drupal Security Team
Fixed by
- Jimmy Berry the module maintainer
- Lee Rowlands
Coordinated by
- Stella Power of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
