SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2013-072
• Project: Node View Permissions (third-party module)
• Version: 7.x
• Date: 2013-August-28
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page.
However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission.

CVE identifier(s) issued

• CVE-2013-4337

Versions affected

• Node View Permissions 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Node View Permissions module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2

Also see the Node View Permissions project page.

Reported by

• Mark Theunissen

Fixed by

• hoter the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team
• Mark Ferree provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.