SA-CONTRIB-2012-109 - Restrict node page view - Access bypass - Security-news

11 Jul 2012


      View online: http://drupal.org/node/1679466
* Advisory ID: SA-CONTRIB-2012-109
  * Project: Restrict node page view [1] (third-party module)
  * Version: 7.x
  * Date: 2012-July-11
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass
-------- DESCRIPTION  
---------------------------------------------------------
This module enables you to disable direct access to node pages (node/XXX)
based on nodetypes and permissions.
The module issues a NODE_ACCESS_ALLOW if it's permissions are met, but does
not respect the "administer nodes" or "access own unpublished content"
permissions. The consequence is that this module grants access to unpublished
content to any role that has the "view any node page" or "view any node
{type} page" permissions.
CVE: Requested
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Restrict node page view 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Restrict node
page view [3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
* If you use the Restrict node page view module for Drupal 7.x, upgrade to
    Restrict node page view 7.x-1.2 [4]
Also see the Restrict node page view [5] project page.
-------- REPORTED BY  
---------------------------------------------------------
* Jake Bell [6]
-------- FIXED BY  
------------------------------------------------------------
* Jake Bell [7]
-------- COORDINATED BY  
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
  * Chris Hales [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION  
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/restrict_node_page_view
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/restrict_node_page_view
[4] http://drupal.org/node/1662724
[5] http://drupal.org/project/restrict_node_page_view
[6] http://drupal.org/user/11219
[7] http://drupal.org/user/11219
[8] http://drupal.org/user/36762
[9] http://drupal.org/user/347249
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration