[Security-news] SA-CONTRIB-2009-014 - CCK Field Privacy - Access Bypass

security-news at drupal.org security-news at drupal.org
Mon Mar 23 11:16:45 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-014
  * Project: CCK Field Privacy
  * Version: 6.x
  * Date: 2009-March-23
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

CCK Field Privacy was incorrectly updated for the Drupal 6.x menu system in
such a way that the intended access controls for the administrative pages are
by-passed for unprivileged users. This may allow users to change permissions
on fields and lead to exposure of private content.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * CCK Field Privacy [1] module 6.x before version 6.x-1.1

Drupal core is not affected. If you do not use a contributed module from the
list above on a Drupal 6 site, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you are using CCK Field Privacy 6.x update to CCK Field Privacy 6.x-1.1
    [2]

-------- IMPORTANT NOTES  
-----------------------------------------------------

This vulnerability was publicly disclosed. If you find a security
vulnerability, please contact the Security team rather than posting a public
issue. If you are a module maintainer, do not commit any security-related
code fixes unless you have coordinated with the Security team. If you are the
author of a contributed module being updated for Drupal 6.x, please read
carefully the documentation on the Drupal 6 menu system to insure that you do
not make the same mistake: http://drupal.org/node/109157
-------- REPORTED BY  
---------------------------------------------------------

This vulnerability was publicly disclosed.
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/cck_field_privacy
[2] http://drupal.org/node/409690

More information about the Security-news mailing list