[Security-news] DRUPAL-SA-CONTRIB-2009-077 - Userpoints - Information disclosure
security-news at drupal.org
security-news at drupal.org
Wed Oct 21 21:14:00 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-077
* Project: Userpoints (third party module)
* Version: 6.x
* Date: 2009-October-21
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Information disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Userpoints module enables the users of a site to gain or lose points
based on their activity. There is a vulnerability in the module which allows
any user with the "View own userpoints" permission to view the userpoints
data of any user, not just their own.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Userponts module versions 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Userpoints
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Userpoints module for Drupal 6.x upgrade to Userpoints
module 6.x-1.1 [1]
See also the Userpoints module project page [2].
-------- REPORTED BY
---------------------------------------------------------
mr.baileys [3].
-------- FIXED BY
------------------------------------------------------------
kbahey [4] the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/610828
[2] http://drupal.org/project/userpoints
[3] http://drupal.org/user/383424
[4] http://drupal.org/user/4063
More information about the Security-news
mailing list