View online: https://drupal.org/node/2267539
* Advisory ID: DRUPAL-SA-CONTRIB-2014-053 * Project: Field API Tab Editor [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page.
The module returns an incorrect value to hook_menu if the current user does not have access to edit the entity. This allows users who would not normally have access to edit the entity to edit any fields that are enabled via this module.
The problem is mitigated by the fact that a site builder must enable the custom edit page for the fields. That configuration is not the default nor automatic.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Field API Tab Editor [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Field API Tab Editor (FATE) module for Drupal 7.x, upgrade to Field API Tab Editor (FATE) v7.x-1.1 [5].
Also see the Field API Tab Editor [6] project page.
-------- REPORTED BY ---------------------------------------------------------
* Damien McKenna [7], the module's maintainer.
-------- FIXED BY ------------------------------------------------------------
* Damien McKenna [8], the module's maintainer. * Bob Kepford [9], a reviewer.
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [10], of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15]
[1] http://drupal.org/project/fate [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fate [5] https://drupal.org/node/2267527 [6] http://drupal.org/project/fate [7] http://drupal.org/user/108450 [8] http://drupal.org/user/108450 [9] http://drupal.org/user/212517 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity