* Advisory ID: DRUPAL-SA-CONTRIB-2010-038 * Project: Privatemsg (third-party module) * Version: 6.x * Date: 2010-April-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Privatemsg module allows to send private messages between users. Additionally, the sub module Privatemsg Email Notification sends e-mail notification when such a message is sent. The page to configure the template for these e-mails does not use the correct access permission which allows all users with the read privatemsg permission to access and alter the settings on that page. -------- VERSIONS AFFECTED --------------------------------------------------- * Privatemsg for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Privatemsg [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use Privatemsg for Drupal 6.x upgrade to Privatemsg 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * Lee Rowlands [3], module maintainer -------- FIXED BY ------------------------------------------------------------ * Lee Rowlands [4], module maintainer. * Sascha Grossebacher [5], module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/privatemsg [2] http://drupal.org/node/784598 [3] http://drupal.org/user/395439 [4] http://drupal.org/user/395439 [5] http://drupal.org/user/214652