- Advisory ID: DRUPAL-SA-CONTRIB-2009-003
- Project: Internationalization (i18n) (third-party module)
- Version: 5.x-2.x
- Date: 2009-January-14
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The third-party i18n module enables users to make a translation of an existing item of content (a node). In that process the existing node's content is copied into the new node.
The module contains a flaw that allows a user with the 'translate node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.
Versions affected
- All 5.x versions of Internationalization (i18n) prior to 5.x-2.5.
Drupal core is not affected. If you do not use the contributed Internationalization (i18n) module, there is nothing you need to do.
Solution
Install the latest version:
- If you use 5.x-2.x upgrade to Internationalization 5.x-2.5.
See also the Internationalization project page.
Reported by
Wolfgang Ziegler and by Nat Catchpole of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
