[Security-news] SA-CONTRIB-2009-060 - Meta tags (Nodewords) - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Sep 23 15:08:08 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-060
* Project: Meta tags / Nodewords (third-party module)
* Version: 6.x
* Date: 2009-September-23
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Meta tags (also known as Nodewords) module provides meta tags based on
node titles. In certain conditions, the node meta tags were not respecting
access permissions, potentially exposing content not available otherwise.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Meta tags for Drupal 6.x before Meta tags 6.x-1.1
Drupal core is not affected. If you do not use the contributed Meta tags
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 6.x upgrade to Meta tags 6.x-1.1 [1].
Also see the Meta tags [2] project page.
-------- REPORTED BY
---------------------------------------------------------
Barry Jaspan [3] and Ben Jeavons [4], both of the Drupal Security Team [5]
-------- FIXED BY
------------------------------------------------------------
Alberto Paderno [6], the module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/585706
[2] http://drupal.org/project/nodewords
[3] http://drupal.org/user/46413
[4] http://drupal.org/user/91990
[5] http://drupal.org/security-team
[6] http://drupal.org/user/55077
More information about the Security-news
mailing list