* Advisory ID: DRUPAL-SA-CONTRIB-2009-024 * Project: Node Access User Reference (third-party module) * Version: 5.x, 6.x * Date: 2009-April-29 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Node Access User Reference enables administrators to automatically grant node access (view, update, or delete) to a node where the user is referenced by CCK user reference. When such a field is saved with an empty value, Node Access User Reference mistakes this for a reference to the anonymous user, and allows non logged in visitors to view or author the node in question. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Access User Reference 5.x prior to 5.x-2.0-beta4 * Node Access User Reference 6.x prior to 6.x-2.0-beta6 Drupal core is not affected. If you do not use the contributed Node Access User Reference module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Node Access User Reference 5.x upgrade to Node Access User Reference 5.x-2.0-beta4 [1]. * If you use Node Access User Reference 6.x upgrade to Node Access User Reference 5.x-2.0-beta4 [2]. See also the Node Access User Reference project page [3]. -------- REPORTED BY --------------------------------------------------------- Jakub Suchy [4] of the Drupal security team and Bob Geiger [5]. -------- FIXED BY ------------------------------------------------------------ Daniel Braksator [6]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/448390 [2] http://drupal.org/node/448392 [3] http://drupal.org/project/nodeaccess_userreference [4] http://drupal.org/user/31977 [5] http://drupal.org/user/380770 [6] http://drupal.org/user/134005