- Advisory ID: DRUPAL-SA-2008-065
- Project: Node Clone (third-party module)
- Version: 6.x, and 5.x.
- Date: 2008-October-15
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The third-party Node Clone module enables users to make a copy of an existing item of content (a node), and then edit that copy.
The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see unpublished nodes even if they do not have permission to view unpublished nodes.
Versions affected
- All versions of Node Clone prior to October 15, 2008
Drupal core is not affected. If you do not use the contributed Node Clone module, there is nothing you need to do.
Solution
Install the latest version:
- If you use 6.x-1.0-beta2 upgrade to Node clone 6.x-1.0.
- If you use 5.x-2.5 upgrade to Node clone 5.x-2.6.
- If you use 5.x-1.5 upgrade to Node clone 5.x-1.6.
See also the Node Clone project page.
Reported by
Peter Wolanin of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.