SA-CONTRIB-2009-024 - Node Access User Reference - Access Bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2009-024
• Project: Node Access User Reference (third-party module)
• Version: 5.x, 6.x
• Date: 2009-April-29
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

Node Access User Reference enables administrators to automatically grant node access (view, update, or delete) to a node where the user is referenced by CCK user reference. When such a field is saved with an empty value, Node Access User Reference mistakes this for a reference to the anonymous user, and allows non logged in visitors to view or author the node in question.

Versions affected

• Node Access User Reference 5.x prior to 5.x-2.0-beta4
• Node Access User Reference 6.x prior to 6.x-2.0-beta6

Drupal core is not affected. If you do not use the contributed Node Access User Reference module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Node Access User Reference 5.x upgrade to Node Access User Reference 5.x-2.0-beta4.
• If you use Node Access User Reference 6.x upgrade to Node Access User Reference 5.x-2.0-beta4.

See also the Node Access User Reference project page.

Reported by

Jakub Suchy of the Drupal security team and Bob Geiger.

Fixed by

Daniel Braksator.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.