* Advisory ID: DRUPAL-SA-CONTRIB-2009-060 * Project: Meta tags / Nodewords (third-party module) * Version: 6.x * Date: 2009-September-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Access bypass

-------- DESCRIPTION ---------------------------------------------------------

The Meta tags (also known as Nodewords) module provides meta tags based on node titles. In certain conditions, the node meta tags were not respecting access permissions, potentially exposing content not available otherwise. -------- VERSIONS AFFECTED ---------------------------------------------------

* Meta tags for Drupal 6.x before Meta tags 6.x-1.1

Drupal core is not affected. If you do not use the contributed Meta tags module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Install the latest version: * If you use Drupal 6.x upgrade to Meta tags 6.x-1.1 [1].

Also see the Meta tags [2] project page. -------- REPORTED BY ---------------------------------------------------------

Barry Jaspan [3] and Ben Jeavons [4], both of the Drupal Security Team [5] -------- FIXED BY ------------------------------------------------------------

Alberto Paderno [6], the module co-maintainer -------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://drupal.org/node/585706 [2] http://drupal.org/project/nodewords [3] http://drupal.org/user/46413 [4] http://drupal.org/user/91990 [5] http://drupal.org/security-team [6] http://drupal.org/user/55077