• Advisory ID: DRUPAL-SA-CONTRIB-2012-019
  • Project: Link checker (third-party module)
  • Version: 6.x
  • Date: 2012-February-15
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

CVE: CVE-2012-1642

The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed.

The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability.

This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content).

Versions affected

  • Link checker 6.x-2.x versions prior to 6.x-2.5.

Drupal core is not affected. If you do not use the contributed Link checker module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5.

See also the Link checker project page.

Reported by

Various aspects of the access bypass vulnerability were reported by the following individuals:

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.