SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass - Security-news

2 Jul 2014


      View online: https://www.drupal.org/node/2296495
* Advisory ID: DRUPAL-SA-CONTRIB-2014-066
   * Project: Node Access Keys [1] (third-party module)
   * Version: 7.x
   * Date: 2014-July-02
   * Security risk: Moderately critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Node Access Keys helps to grant users temporary view permissions to selected
content types on a per user role basis.
It was found that unpublished nodes of content types that that did not have
an access key were visible to all. Also, If an unpublished node of a content
type that was protected by an access key was visited with the access key then
access was granted.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Node Access Keys 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Node Access
Keys [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node Access Keys module for Drupal 7.x, upgrade to Node
     Access Keys 7.x-1.2 [5]
Also see the Node Access Keys [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* This issue was disclosed publicly.
-------- FIXED BY
------------------------------------------------------------
* Daniel Korte [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
   * David Rothstein [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] http://drupal.org/project/nodeaccesskeys
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/nodeaccesskeys
[5] http://drupal.org/node/2295895
[6] http://drupal.org/project/nodeaccesskeys
[7] http://drupal.org/user/453668
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/124982
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity