* Advisory ID: DRUPAL-SA-CONTRIB-2009-041 * Project: Nodequeue (third-party module) * Version: 5.x, 6.x * Date: 2009-July-08 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Nodequeue module enables an administrator to arbitrarily put nodes in a group with an arbitrary order for any purpose, such as providing a listing of nodes or featuring a particular node. On the queue administration screen, users with permission to manipulate a queue are presented with an autocomplete textfield that allows them to type the title of a node and add it to a queue. This textfield fails to restrict unpublished node titles from being displayed to users who lack the 'administer content' permission, allowing unprivileged users to view the title of unpublished nodes. -------- VERSIONS AFFECTED --------------------------------------------------- * Nodequeue 6.x prior to 6.x-2.3 * Nodequeue 5.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Nodequeue module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Nodequeue 6.x upgrade to Nodequeue 6.x-2.3 [1] * If you use Nodequeue 5.x upgrade to Nodequeue 5.x-2.8 [2] See also the Nodequeue [3] project page. -------- REPORTED BY --------------------------------------------------------- Ezra Barnett Gildesgame (ezra-g [4]) -------- FIXED BY ------------------------------------------------------------ Ezra Barnett Gildesgame, the Nodequeue maintainer (ezra-g [5]) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/513726 [2] http://drupal.org/node/513732 [3] http://drupal.org/project/nodequeue [4] http://drupal.org/user/69959/ [5] http://drupal.org/user/69959/