- Advisory ID: DRUPAL-SA-CONTRIB-2012-019
- Project: Link checker (third-party module)
- Version: 6.x
- Date: 2012-February-15
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
CVE: CVE-2012-1642
The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed.
The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability.
This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content).
Versions affected
- Link checker 6.x-2.x versions prior to 6.x-2.5.
Drupal core is not affected. If you do not use the contributed Link checker module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5.
See also the Link checker project page.
Reported by
Various aspects of the access bypass vulnerability were reported by the following individuals:
- Ivo Van Geertruyen of the Drupal Security Team
- Dave Reid of the Drupal Security Team
- Alexander Hass, the module maintainer
- David Rothstein of the Drupal Security Team
Fixed by
- David Rothstein of the Drupal Security Team
- Alexander Hass, the module maintainer
- Ivo Van Geertruyen of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.