Anonymous user may see which scheduled tasks of Rules module has been executed via cron.

User may see which scheduled tasks of Rules module has been executed via
cron. This is not threat by itself but it may expose some valuable
information to unauthorized user.

1. Configuration
Rules module in version:

; $Id: rules.info,v 1.1.2.2 2008/07/10 08:15:04 fago Exp $
name = Rules
description = Lets you define conditionally executed actions based on
occurring events.
package = Rules
core = 6.x
; Information added by drupal.org packaging script on 2010-03-18
version = "6.x-1.x-dev"
core = "6.x"
project = "rules"
datestamp = "1268914474"

Drupal Core 6.16.

2. Steps to reproduce.
a) Create some rule which fires on cron run.
b) Logout.
c) Execute cron task via entering http://yourpage/cron.php (maybe via
Poormanscron is it possible also)
e) Go to main page of site.
d) Anonymous user will see something like that:

0 ms "Cron maintenance tasks are performed" has been invoked.
5.211 ms Executing the rule "*** {triggered rule}" on rule set "Cron maintenance tasks are performed"
5.432 ms Action execution: "Execute custom PHP code"
17.432 ms Evaluation of "Cron maintenance tasks are performed" has been
finished.

3. Possible place of problem.
function rules_show_log() in rules.module
It displays text to user via drupal_set_message without checking permissions.

4. Possible fix.
In function rules_show_log() there need to be access check made like in
other parts of this module.
if (!user_access('administer rules')) {
return;
}