By heine on
- Advisory ID: DRUPAL-SA-2008-002
- Project: Atom (third-party module)
- Version: 4.7.x, 5.x
- Date: 2008-January-10
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Atom module provides a list of node titles, and teasers or bodies as part of a syndication feed. In certain conditions, the titles, teasers, and body were not respecting access permissions, potentially exposing content to syndication not available otherwise.
Versions affected
- Atom for Drupal 4.7.x before Atom 4.7.x-1.0
- Atom for Drupal 5.x before Atom 5.x-1.0
Drupal core is not affected. If you do not use the contributed Atom module, there is nothing you need to do. Furthermore, if your site does
not use more advanced per-node access controls, there is nothing you
need to do.
Solution
Install the latest version:
- If you use Drupal 4.7.x upgrade to Atom 4.7.x-1.0.
- If you use Drupal 5.x upgrade to Atom 5.x-1.0.
See also the Atom project page.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
