[Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Apr 28 19:02:33 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-037
* Project: Decisions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
Decisions is a replacement for poll.module and provides advanced voting
systems and decision-making tools. It aims to enable groups to take decisions
online in a manner that replicates and augments what is possible in
face-to-face meeting. In some listings, the Decisions module does not
construct its SQL query to respect node access restrictions, thus users can
see listings of nodes which should not be accessible to them.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Decisions for Drupal 5.x versions prior to 5.x-1.2
* Decisions for Drupal 6.x versions prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Decisions [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2]
* If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3]
-------- REPORTED BY
---------------------------------------------------------
* Kirill Stealth [4]
-------- FIXED BY
------------------------------------------------------------
* Antoine Beaupré [5], module maintainer.
* Ezra Barnett Gildesgame [6], module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/decisions
[2] http://drupal.org/node/784444
[3] http://drupal.org/node/783766
[4] http://drupal.org/user/205226
[5] http://drupal.org/user/1274
[6] http://drupal.org/user/69959
More information about the Security-news
mailing list