SA-2008-063 - multiple third party modules - Access bypass due to incorrect Drupal 6 updates

• Advisory ID: DRUPAL-SA-2008-063
• Project: Several Third-Party Modules incorrectly updated for the Drupal 6 menu system
• Version: 6.x
• Date: 2008-October-8
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user would otherwise be prohibited from seeing.

Drupal core is not affected. Disabling the affected modules provides an immediate workaround.

Versions affected

• Live module 6.x before version 6.x-1.0
• AJAX Picture Preview module 6.x before version 6.x-1.2
• Admin:hover module 6.x-1.x-dev before 2008-Oct-08
• Banner Rotor Module before version 6.x-1.3
• Creative Commons Lite module 6.x before version 6.x-1.1
• Keyboard shortcut utiilty module 6.x before version 6.x-1.1
• LiveJournal CrossPoster module 6.x before version 6.x-1.4
• Taxonomy import/export via XML module 6.x before version 6.x-1.2
• User Referral module 6.x-1.x-dev before 2008-Oct-08

Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do.

Solution

If you are running any of the modules from the list above, upgrade to the version specified in the list.

Important note

If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: http://drupal.org/node/109157

Reported by

John Morahan and Peter Wolanin of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.