View online: https://www.drupal.org/node/2316747
* Advisory ID: DRUPAL-SA-CONTRIB-2014-076 * Project: Fasttoggle [1] (third-party module) * Version: 7.x * Date: 2014-August-06 * Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:25 [2] * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
This module enables you to quickly toggle various user, node and field related settings via ajax links.
The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status (allow/block) link.
This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.
All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
Drupal core is not affected. If you do not use the contributed Fasttoggle [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Fasttoggle module for Drupal 7.x, upgrade to Fasttoggle 7.x-1.5 [5]
Also see the Fasttoggle [6] project page.
-------- REPORTED BY ---------------------------------------------------------
* Laura Hild [7]
-------- FIXED BY ------------------------------------------------------------
* Nigel Cunningham [8] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Neil Drumm [9] of the Drupal Security Team * David Stoline [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/fasttoggle [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fasttoggle [5] https://www.drupal.org/node/2316065 [6] http://drupal.org/project/fasttoggle [7] https://www.drupal.org/user/760454 [8] https://www.drupal.org/user/250105 [9] https://www.drupal.org/user/3064 [10] https://www.drupal.org/u/dstol [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration