* Advisory ID: DRUPAL-SA-CONTRIB-2010-086 * Project: Prepopulate (third-party module) * Version: 5.x and 6.x * Date: 2010-Aug-11 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass
-------- DESCRIPTION ---------------------------------------------------------
The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. -------- VERSIONS AFFECTED ---------------------------------------------------
* Prepopulate module for Drupal 6.x versions prior to 6.x-2.0 [1] * Prepopulate module for Drupal 5.x versons prior to 5.x-1.5 [2]
Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.0 [4] * If you use the Prepopulate module for Drupal 5.x upgrade to Prepopulate 5.x-1.5 [5]
See also the Prepopulate project page [6]. -------- REPORTED BY ---------------------------------------------------------
* Aren Cambre [7]
-------- FIXED BY ------------------------------------------------------------
* Joshua Brauer (jbrauer [8]) the module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/880652 [2] http://drupal.org/node/880656 [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/880652 [5] http://drupal.org/node/880656 [6] http://drupal.org/project/prepopulate [7] http://drupal.org/user/97356 [8] http://drupal.org/user/253145 [9] http://drupal.org/security-team