[Security-news] SA-CONTRIB-2009-058 - Comment RSS - Access bypass

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-058
  * Project: Comment RSS (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-September-16
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

The Comment RSS [1] module provides RSS feeds for comments on individual
nodes. The link to this feed contains the node's title. Adding the link to
the RSS feed was not respecting access permissions, potentially exposing
content not available otherwise.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Comment RSS for Drupal 5.x before Comment RSS 5.x-2.2
  * Comment RSS for Drupal 6.x before Comment RSS 6.x-2.2

Drupal core is not affected. If you do not use the contributed Comment RSS
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Drupal 5.x upgrade to Comment RSS 5.x-2.2 [2].
  * If you use Drupal 6.x upgrade to Comment RSS 6.x-2.2 [3].

See also the Comment RSS [4] project page.
-------- REPORTED BY  
---------------------------------------------------------

Dave Reid [5] of the Drupal Security Team [6] and co-maintainer of the
Comment RSS module
-------- FIXED BY  
------------------------------------------------------------

Dave Reid [7]
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/commentrss
[2] http://drupal.org/node/579292
[3] http://drupal.org/node/579290
[4] http://drupal.org/project/commentrss
[5] http://drupal.org/user/53892
[6] http://drupal.org/security-team
[7] http://drupal.org/user/53892