* Advisory ID: DRUPAL-SA-CONTRIB-2012-019 * Project: Link checker [1] (third-party module) * Version: 6.x * Date: 2012-February-15 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed.
The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability.
This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content).
-------- VERSIONS AFFECTED ---------------------------------------------------
* Link checker 6.x-2.x versions prior to 6.x-2.5.
Drupal core is not affected. If you do not use the contributed Link checker [3] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5 [4].
See also the Link checker [5] project page.
-------- REPORTED BY ---------------------------------------------------------
Various aspects of the access bypass vulnerability were reported by the following individuals:
* Ivo Van Geertruyen [6] of the Drupal Security Team * Dave Reid [7] of the Drupal Security Team * Alexander Hass [8], the module maintainer * David Rothstein [9] of the Drupal Security Team
-------- FIXED BY ------------------------------------------------------------
* David Rothstein [10] of the Drupal Security Team * Alexander Hass [11], the module maintainer * Ivo Van Geertruyen [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/linkchecker [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkchecker [4] http://drupal.org/node/1440508 [5] http://drupal.org/project/linkchecker [6] http://drupal.org/user/383424 [7] http://drupal.org/user/53892 [8] http://drupal.org/user/85918 [9] http://drupal.org/user/124982 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/85918 [12] http://drupal.org/user/383424 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration