[Security-news] SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-018
  * Project: Content Distribution (third-party module)
  * Version: 6.x
  * Date: 2010 February 17
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Mulitple Vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

Content Distribution module allows calling a method to delete particular
nodes using a XML-RPC call. When this method is allowed to be called by
anonymous users in user permissions, an attacker might delete a random node.
In addition, certain actions require Content Distribution to temporarily
switch users. This is being done without properly disabling session saving.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Content Distribution prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed Content
Distribution module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Content Distribution for Drupal 6.x upgrade to Content
    Distribution 6.x-1.3 [1].

See also the Content Distribution project page [2].
-------- REPORTED BY  
---------------------------------------------------------

  * Joachim Noreiko (joachim [3]), the module co-maintainer.

-------- FIXED BY  
------------------------------------------------------------

  * Joachim Noreiko (joachim [4]), the module co-maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/716400
[2] http://drupal.org/project/content_distribution
[3] http://drupal.org/user/107701
[4] http://drupal.org/user/107701