[Security-news] SA-CONTRIB-2009-029 - Views Bulk Operations - Access Bypass
security-news at drupal.org
security-news at drupal.org
Wed May 20 20:16:57 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-029
* Project: Views Bulk Operations (third-party module)
* Version: 5.x, 6.x
* Date: 2009-May-20
* Security risk: Medium
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Views Bulk operations allows registered procedures (called actions) to be
applied on a result set of Drupal nodes, returned by the Views module.
Through the Views Bulk Operations interface, it is possible to let users who
are not authorized to update specific nodes or classes of nodes, to still
apply actions that modify these nodes, thereby violating user permissions.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views Bulk Operations 5.x-1.x prior to 5.x-1.4
* Views Bulk Operations 6.x-1.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Views Bulk
Operations module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Views Bulk Operations 5.x-1.x upgrade to Views Bulk Operations
5.x-1.4 [1]
* If you use Views Bulk Operations 6.x-1.x upgrade to Views Bulk Operations
6.x-1.7 [2]
See also the Views Bulk Operations project page [3].
-------- REPORTED BY
---------------------------------------------------------
Shawn McElroy (bigmack83) [4]
-------- FIXED BY
------------------------------------------------------------
Karim Ratib (kratib) [5]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/468374
[2] http://drupal.org/node/468366
[3] http://drupal.org/project/views_bulk_operations
[4] http://drupal.org/user/248940
[5] http://drupal.org/user/48424
More information about the Security-news
mailing list