DRUPAL-SA-CONTRIB-2009-077 - Userpoints - Information disclosure - Security-news

21 Oct 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-077
  * Project: Userpoints (third party module)
  * Version: 6.x
  * Date: 2009-October-21
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Information disclosure
-------- DESCRIPTION  
---------------------------------------------------------
The Userpoints module enables the users of a site to gain or lose points
based on their activity. There is a vulnerability in the module which allows
any user with the "View own userpoints" permission to view the userpoints
data of any user, not just their own.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Userponts module versions 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Userpoints
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version.
  * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints
    module 6.x-1.1 [1]
See also the Userpoints module project page [2].
-------- REPORTED BY  
---------------------------------------------------------
mr.baileys [3].
-------- FIXED BY  
------------------------------------------------------------
kbahey [4] the module maintainer.
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/610828
[2] http://drupal.org/project/userpoints
[3] http://drupal.org/user/383424
[4] http://drupal.org/user/4063