- Advisory ID: DRUPAL-SA-CONTRIB-2012-117
- Project: Location (third-party module)
- Version: 6.x, 7.x
- Date: 2012-July-25
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations.
The Location Search module fails to enforce content and user access permissions and node access restrictions, meaning any user can see any node or user results on the location search page.
From now on users must have the "access content" permission and any relevant node access rights to see node based location results and the "view user profiles" and "view all user locations" permissions to see user based location results.
CVE: Requested
Versions affected
- Location Search (Location sub-module) 6.x versions prior to 6.x-3.2.
- Location Search (Location sub-module) 7.x versions prior to 7.x-3.0-alpha1.
Drupal core is not affected. If you do not use the contributed Location module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Location Search (Location sub-module) module for Drupal 6.x, upgrade to Location 6.x-3.2
- If you use the Location Search (Location sub-module) module for Drupal 7.x, upgrade to Location 7.x-3.0-alpha1
Also see the Location project page.
Reported by
Fixed by
- Reuben Turk the module maintainer
- Ankur Rishi the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Ben Jeavons of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
