- Advisory ID: DRUPAL-SA-CONTRIB-2012-163
- Project: User Read-Only (third-party module)
- Version: 6.x, 7.x
- Date: 2012-November-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing.
The module can mistakenly assign roles when performing unrelated operations against a user's account such as changing a password.
The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3).
CVE: CVE-2012-5557
Versions affected
- User Read-Only 6.x-1.x versions prior to 6.x-1.4.
- User Read-Only 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed User Read-Only module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the User Read-Only module for Drupal 6.x, upgrade to User Read-Only 6.x-1.4
- If you use the User Read-Only module for Drupal 7.x, upgrade to User Read-Only 7.x-1.4
Also see the User Read-Only project page.
Reported by
Fixed by
- David Norman the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Lee Rowlands provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
