* Advisory ID: DRUPAL-SA-CONTRIB-2011-017 * Project: Save Draft [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-April-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Validation bypass -------- DESCRIPTION --------------------------------------------------------- The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form. The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is a security vulnerability for sites where other modules are using node validation for security purposes. -------- VERSIONS AFFECTED --------------------------------------------------- * Save Draft module for Drupal 6.x versions prior to 6.x-1.8 * Save Draft module for Drupal 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Save Draft [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Save Draft module for Drupal 6.x, upgrade to Save Draft 6.x-1.8 [4]. (Note that the 6.x-2.x branch of the module is not affected. If you use that, you do not need to upgrade.) * If you use the Save Draft module for Drupal 7.x, upgrade to Save Draft 7.x-1.4 [5]. See also the Save Draft project page [6]. -------- REPORTED BY --------------------------------------------------------- * David Rothstein [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team * Katherine Senzee (ksenzee [9]), module co-maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://drupal.org/project/save_draft [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/save_draft [4] http://drupal.org/node/1139378 [5] http://drupal.org/node/1139380 [6] http://drupal.org/project/save_draft [7] http://drupal.org/user/124982 [8] http://drupal.org/user/124982 [9] http://drupal.org/user/139855 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration