* Advisory ID: DRUPAL-SA-CONTRIB-2009-014 * Project: CCK Field Privacy * Version: 6.x * Date: 2009-March-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
CCK Field Privacy was incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls for the administrative pages are by-passed for unprivileged users. This may allow users to change permissions on fields and lead to exposure of private content. -------- VERSIONS AFFECTED ---------------------------------------------------
* CCK Field Privacy [1] module 6.x before version 6.x-1.1
Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you are using CCK Field Privacy 6.x update to CCK Field Privacy 6.x-1.1 [2]
-------- IMPORTANT NOTES -----------------------------------------------------
This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team. If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: http://drupal.org/node/109157 -------- REPORTED BY ---------------------------------------------------------
This vulnerability was publicly disclosed. -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/cck_field_privacy [2] http://drupal.org/node/409690