• Advisory ID: DRUPAL-SA-CONTRIB-2014-045
  • Project: Drupal Commons (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

This SA contains two patches against Drupal Commons

Views Bulk Operations Access Bypass

Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported.

Since it has hard coded VBO operations within the view, and Drupal Commons doesn't come with the VBO 'access_permissions' submodule enabled, all views bulk operations can be performed by anyone with access to the view. In its default setting, this allows users to delete content from other users and potentially ban other users from the site.

Anonymous Users can view Wiki revisions regardless of group privacy

Commons allows users of a group to edit a wiki created by anyone, regardless of edit permissions. It is supposed to refer back to the group permissions when creating this edit permission. However, the revisions permission hook allows anyone (anonymous or authenticated) to view revisions and diffs between revisions. This can potentially leak hidden data from groups a user does not otherwise have access to.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Drupal Commons 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Drupal Commons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity