[Security-news] SA-CONTRIB-2014-78 - Notify - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Aug 13 18:00:54 UTC 2014
View online: https://www.drupal.org/node/2320741
* Advisory ID: DRUPAL-SA-CONTRIB-2014-078
* Project: Notify [1] (third-party module)
* Version: 7.x
* Date: 2014-August-13
* Security risk: 10/25 ( Moderately Critical)
AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:75 [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The notify module allows users to subscribe to periodic emails which include
all new or revised content and/or comments of specific content types, much
like the daily newsletters sent by some websites.
The Notify module does not sufficiently check whether the user has access to
recently added or updated nodes and all the fields within the node before
including the nodes in notification emails to a given user. This will expose
node titles and potentially node teasers and fields to users who should not
see them.
This vulnerability is mitigated by the fact that a site must use some form of
access control and must be configured to include nodes with protected content
in notifications.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Notify 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Notify [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1
[5]
Also see the Notify [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* John Oltman [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Gisle Hannemyr [8] one of the module maintainers
* Matt Chapman [9] of the Drupal Security Team
* John Oltman [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/notify
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/notify
[5] https://www.drupal.org/node/2320693
[6] https://www.drupal.org/project/notify
[7] https://www.drupal.org/user/699926
[8] https://www.drupal.org/user/409554
[9] https://www.drupal.org/user/143172
[10] https://www.drupal.org/user/699926
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list