* Advisory ID: DRUPAL-SA-CONTRIB-2010-018 * Project: Content Distribution (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Mulitple Vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily switch users. This is being done without properly disabling session saving. -------- VERSIONS AFFECTED ---------------------------------------------------
* Content Distribution prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Content Distribution module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Content Distribution for Drupal 6.x upgrade to Content Distribution 6.x-1.3 [1].
See also the Content Distribution project page [2]. -------- REPORTED BY ---------------------------------------------------------
* Joachim Noreiko (joachim [3]), the module co-maintainer.
-------- FIXED BY ------------------------------------------------------------
* Joachim Noreiko (joachim [4]), the module co-maintainer.
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/716400 [2] http://drupal.org/project/content_distribution [3] http://drupal.org/user/107701 [4] http://drupal.org/user/107701