- Advisory ID: DRUPAL-SA-CONTRIB-2012-163
- Project: User Read-Only (third-party module)
- Version: 6.x, 7.x
- Date: 2012-November-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing.
The module can mistakenly assign roles when performing unrelated operations against a user's account such as changing a password.
The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3).
- User Read-Only 6.x-1.x versions prior to 6.x-1.4.
- User Read-Only 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed User Read-Only module, there is nothing you need to do.
Install the latest version:
- If you use the User Read-Only module for Drupal 6.x, upgrade to User Read-Only 6.x-1.4
- If you use the User Read-Only module for Drupal 7.x, upgrade to User Read-Only 7.x-1.4
Also see the User Read-Only project page.
- David Norman the module maintainer
- Greg Knaddison of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Lee Rowlands provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.