Date: 
2009-February-11
Description: 
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Security risk: None

Description

This is a public service announcement regarding the "administer content types" permission. The rise of the Content Construction Kit (CCK) and a legion of powerful CCK field modules have considerably extended the abilities of a user with this permission, with much of a site's behaviour now being configurable via the content types administration pages.

The permission "administer content types" is therefore comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Updates

  • 2018-08-16 — Updated advisory ID from SA-CORE-2009-002 as part of a data migration.
Solution: 

Only grant trusted site administrators the "administer content types" permission.