[Security-news] SA-CONTRIB-2009-083 - CCK Comment Reference - Access Bypass

security-news at drupal.org security-news at drupal.org
Wed Oct 28 21:55:47 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-083
  * Project: CCK Comment Reference (third-party module)
  * Version: 6.x
  * Date: 2009-October-28
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

-------- DESCRIPTION  
---------------------------------------------------------

The CCK Comment Reference module enables administrators to define node fields
that are references to comments. Users can access comments through the
autocomplete path that the module provides even if they don't have access to
read comments.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * CCK Comment Reference module versions Drupal 6.x prior to CCK Comment
    Reference 6.x-1.3 [1]
  * Comment reference module versions Drupal 5.x prior to CCK Comment
    Reference 5.x-1.2 [2]

Drupal core is not affected. If you do not use the contributed CCK Comment
Reference [3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version.
  * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK
    Comment Reference 6.x-1.3 [4]
  * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK
    Comment Reference 5.x-1.2 [5]

-------- REPORTED BY  
---------------------------------------------------------

  * Ben Jeavons [6] of Drupal Security Team.

-------- FIXED BY  
------------------------------------------------------------

  * Kristof De Jaeger [7], the module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/615988
[2] http://drupal.org/node/616824
[3] http://drupal.org/project/commentreference
[4] http://drupal.org/node/615988
[5] http://drupal.org/node/616824
[6] http://drupal.org/user/91990
[7] http://drupal.org/user/107403

More information about the Security-news mailing list