SA-CONTRIB-2009-089 - Storm - Access Bypass - Security-news

28 Oct 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-089
  * Project: Storm (third-party module)
  * Version: 6.x
  * Date: 2009-October-28
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass
-------- DESCRIPTION  
---------------------------------------------------------
The Storm module provides a project management application for Drupal. The
module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are
not respecting the expected access permissions, potentially exposing the node
title to unauthorized users.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Versions of Storm for Drupal 6.x prior to 6.x-1.25 [1]
Versions of Storm for Drupal 5.x and 7.x are not affected. Drupal core is not
affected. If you do not use the 6.x version of the contributed Storm module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25 [2]
Also see the Storm [3] project page.
-------- REPORTED BY  
---------------------------------------------------------
* Fabio Fabbri [4]
-------- FIXED BY  
------------------------------------------------------------
* Magnity [5], the module maintainer
-------- CONTACT  
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/617480
[2] http://drupal.org/node/617480
[3] http://drupal.org/project/storm
[4] http://drupal.org/user/208703
[5] http://drupal.org/user/267154