By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-018
- Project: Content Distribution (third-party module)
- Version: 6.x
- Date: 2010 February 17
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Mulitple Vulnerabilities
Description
Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily switch users. This is being done without properly disabling session saving.
Versions affected
- Content Distribution prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Content Distribution module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Content Distribution for Drupal 6.x upgrade to Content Distribution 6.x-1.3.
See also the Content Distribution project page.
Reported by
- Joachim Noreiko (joachim), the module co-maintainer.
Fixed by
- Joachim Noreiko (joachim), the module co-maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
