* Advisory ID: DRUPAL-SA-CONTRIB-2009-058 * Project: Comment RSS (third-party module) * Version: 5.x, 6.x * Date: 2009-September-16 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
The Comment RSS [1] module provides RSS feeds for comments on individual nodes. The link to this feed contains the node's title. Adding the link to the RSS feed was not respecting access permissions, potentially exposing content not available otherwise. -------- VERSIONS AFFECTED ---------------------------------------------------
* Comment RSS for Drupal 5.x before Comment RSS 5.x-2.2 * Comment RSS for Drupal 6.x before Comment RSS 6.x-2.2
Drupal core is not affected. If you do not use the contributed Comment RSS module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Drupal 5.x upgrade to Comment RSS 5.x-2.2 [2]. * If you use Drupal 6.x upgrade to Comment RSS 6.x-2.2 [3].
See also the Comment RSS [4] project page. -------- REPORTED BY ---------------------------------------------------------
Dave Reid [5] of the Drupal Security Team [6] and co-maintainer of the Comment RSS module -------- FIXED BY ------------------------------------------------------------
Dave Reid [7] -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/commentrss [2] http://drupal.org/node/579292 [3] http://drupal.org/node/579290 [4] http://drupal.org/project/commentrss [5] http://drupal.org/user/53892 [6] http://drupal.org/security-team [7] http://drupal.org/user/53892