[Security-news] SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed May 12 18:58:25 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-045
* Project: Auto Assign Role (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Auto Assign Role serves three primary purposes. The first is to provide
an automatic assignment of roles when a new account is created. The second is
to allow the end user the option of choosing their own role or roles when
they create their account. The third is to provide paths that will trigger a
specific role when an account is created. Auto Assign Role recently added a
node autocomplete that did not properly utilize the Drupal node access API.
This may allow users with the 'administer autoassignrole' permission users to
view the content of nodes that they should not have permission to access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* AutoAssign Role [1] module for Drupal 6.x version prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Auto Assign
Role module for Drupal 6.x, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version or disable the module. If you use Auto Assign Role
prior to 6.x-1.2, upgrade to Auto Assign Role 6.x-1.2 [2]
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [3].
-------- FIXED BY
------------------------------------------------------------
* Kevin Bridges [4], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/autoassignrole
[2] http://drupal.org/node/795926
[3] http://drupal.org/user/383424
[4]
[5] http://drupal.org/contact
More information about the Security-news
mailing list