Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-030
- Project: Site Documentation (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-May-14
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Privilege escalation
Description
The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database.
All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In typical scenarios, both anonymous and authenticated users have the "access content" permission.
Access to arbitrary tables enables an attacker to impersonate users by using SESSION IDs obtained from the database. An attacker could use specifically crafted URLs to gain access to additional private information, including, but not limited to, all usernames, password hashes, and e-mail addresses.
Versions affected
- Site Documentation for Drupal 5.x before Site Documentation 5.x-1.8
- Site Documentation for Drupal 6.x before Site Documentation 6.x-1.1
Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do.
Solution
Install the latest version:
- If you currently use Site Documentation 5.x-1.x upgrade to Site Documentation 5.x-1.8
- If you currently use Site Documentation 6.x-1.0 upgrade to Site Documentation 6.x-1.1
See also the Site Documentation project page.
Reported by
The Site Documentation module maintainer Nancy Wichmann in collaboration with the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
