[Security-news] SA-CONTRIB-2009-024 - Node Access User Reference - Access Bypass

security-news at drupal.org security-news at drupal.org
Wed Apr 29 22:20:52 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-024
  * Project: Node Access User Reference (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-April-29
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

Node Access User Reference enables administrators to automatically grant node
access (view, update, or delete) to a node where the user is referenced by
CCK user reference. When such a field is saved with an empty value, Node
Access User Reference mistakes this for a reference to the anonymous user,
and allows non logged in visitors to view or author the node in question.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Node Access User Reference 5.x prior to 5.x-2.0-beta4
  * Node Access User Reference 6.x prior to 6.x-2.0-beta6

Drupal core is not affected. If you do not use the contributed Node Access
User Reference module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Node Access User Reference 5.x upgrade to Node Access User
    Reference 5.x-2.0-beta4 [1].
  * If you use Node Access User Reference 6.x upgrade to Node Access User
    Reference 5.x-2.0-beta4 [2].

See also the Node Access User Reference project page [3].
-------- REPORTED BY  
---------------------------------------------------------

Jakub Suchy [4] of the Drupal security team and Bob Geiger [5].
-------- FIXED BY  
------------------------------------------------------------

Daniel Braksator [6].
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/448390
[2] http://drupal.org/node/448392
[3] http://drupal.org/project/nodeaccess_userreference
[4] http://drupal.org/user/31977
[5] http://drupal.org/user/380770
[6] http://drupal.org/user/134005

More information about the Security-news mailing list