- Advisory ID: DRUPAL-SA-2007-012.
- Project: Project issue tracking (third-party module).
- Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*.
- Date: 2007-March-08.
- Security risk: Critical.
- Exploitable from: Remote.
- Vulnerability: Access bypass.
Description
If a remote user knows the node identifier of an issue that has been marked private using a node access module (simple_access, node_privacy_byrole, etc), they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access project issues" permission.
Versions affected
- Project issue tracking 5.x-* before version 5.x-0.2-beta
- Project issue tracking 4.7.x-2.* before version 4.7.x-2.3
- Project issue tracking 4.7.x-1.* before version 4.7.x-1.3
Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.
Solution
Install the latest version:
- Project issue tracking 5.x-0.2-beta
- Project issue tracking 4.7.x-2.3
- Project issue tracking 4.7.x-1.3
Revoking the "access project issues" permission for all roles that you do not trust with all of your private issue content provides an immediate work-around.
Reported by
Gerhard Killesreiter (killes) of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.