• Advisory ID: DRUPAL-SA-2007-012.
  • Project: Project issue tracking (third-party module).
  • Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*.
  • Date: 2007-March-08.
  • Security risk: Critical.
  • Exploitable from: Remote.
  • Vulnerability: Access bypass.

Description

If a remote user knows the node identifier of an issue that has been marked private using a node access module (simple_access, node_privacy_byrole, etc), they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access project issues" permission.

Versions affected

  • Project issue tracking 5.x-* before version 5.x-0.2-beta
  • Project issue tracking 4.7.x-2.* before version 4.7.x-2.3
  • Project issue tracking 4.7.x-1.* before version 4.7.x-1.3

Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.

Solution

Install the latest version:

Revoking the "access project issues" permission for all roles that you do not trust with all of your private issue content provides an immediate work-around.

Reported by

Gerhard Killesreiter (killes) of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.