[Security-news] SA-CONTRIB-2009-041 - Nodequeue - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Jul 8 16:47:23 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-041
* Project: Nodequeue (third-party module)
* Version: 5.x, 6.x
* Date: 2009-July-08
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Nodequeue module enables an administrator to arbitrarily put nodes in a
group with an arbitrary order for any purpose, such as providing a listing of
nodes or featuring a particular node. On the queue administration screen,
users with permission to manipulate a queue are presented with an
autocomplete textfield that allows them to type the title of a node and add
it to a queue. This textfield fails to restrict unpublished node titles from
being displayed to users who lack the 'administer content' permission,
allowing unprivileged users to view the title of unpublished nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Nodequeue 6.x prior to 6.x-2.3
* Nodequeue 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Nodequeue
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Nodequeue 6.x upgrade to Nodequeue 6.x-2.3 [1]
* If you use Nodequeue 5.x upgrade to Nodequeue 5.x-2.8 [2]
See also the Nodequeue [3] project page.
-------- REPORTED BY
---------------------------------------------------------
Ezra Barnett Gildesgame (ezra-g [4])
-------- FIXED BY
------------------------------------------------------------
Ezra Barnett Gildesgame, the Nodequeue maintainer (ezra-g [5])
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/513726
[2] http://drupal.org/node/513732
[3] http://drupal.org/project/nodequeue
[4] http://drupal.org/user/69959/
[5] http://drupal.org/user/69959/
More information about the Security-news
mailing list