[Security-news] SA-CONTRIB-2012-019 - Link checker - Access bypass

security-news at drupal.org security-news at drupal.org
Wed Feb 15 21:05:57 UTC 2012


  * Advisory ID: DRUPAL-SA-CONTRIB-2012-019
  * Project: Link checker [1] (third-party module)
  * Version: 6.x
  * Date: 2012-February-15
  * Security risk: Less critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

The Link checker module extracts links from your site's content and
periodically tries to detect broken links and report them so they can be
fixed.

The module does not correctly check permission to access the site's content
before displaying broken links that were found within it, leading to an
access bypass vulnerability.

This vulnerability is mitigated by several factors: The site must have
private content (for example, if a node access or CCK field access module is
being used), and the Link checker module must be configured to display broken
links to users who do not already have permission to bypass content access
control. Also, only the URLs of the broken links are displayed, so this
vulnerability is only serious if the content of those URLs is potentially
sensitive (for example, if the URL contains a username and password or a
secure token, or if it would reveal sensitive information about topics being
discussed in the rest of the private content).

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Link checker 6.x-2.x versions prior to 6.x-2.5.

Drupal core is not affected. If you do not use the contributed Link checker
[3] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Link checker module for Drupal 6.x, upgrade to Link checker
    6.x-2.5 [4].

See also the Link checker [5] project page.

-------- REPORTED BY  
---------------------------------------------------------

Various aspects of the access bypass vulnerability were reported by the
following individuals:

  * Ivo Van Geertruyen [6] of the Drupal Security Team
  * Dave Reid [7] of the Drupal Security Team
  * Alexander Hass [8], the module maintainer
  * David Rothstein [9] of the Drupal Security Team

-------- FIXED BY  
------------------------------------------------------------

  * David Rothstein [10] of the Drupal Security Team
  * Alexander Hass [11], the module maintainer
  * Ivo Van Geertruyen [12] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].


[1] http://drupal.org/project/linkchecker
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/linkchecker
[4] http://drupal.org/node/1440508
[5] http://drupal.org/project/linkchecker
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/53892
[8] http://drupal.org/user/85918
[9] http://drupal.org/user/124982
[10] http://drupal.org/user/124982
[11] http://drupal.org/user/85918
[12] http://drupal.org/user/383424
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration



More information about the Security-news mailing list