[Security-news] SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed May 14 17:00:05 UTC 2014
View online: https://drupal.org/node/2267539
* Advisory ID: DRUPAL-SA-CONTRIB-2014-053
* Project: Field API Tab Editor [1] (third-party module)
* Version: 7.x
* Date: 2014-May-14
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module allows each entity field to be individually edited via its own
custom page, accessible via a tab on the entity's page.
The module returns an incorrect value to hook_menu if the current user does
not have access to edit the entity. This allows users who would not normally
have access to edit the entity to edit any fields that are enabled via this
module.
The problem is mitigated by the fact that a site builder must enable the
custom edit page for the fields. That configuration is not the default nor
automatic.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Field API Tab
Editor [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Field API Tab Editor (FATE) module for Drupal 7.x, upgrade
to Field API Tab Editor (FATE) v7.x-1.1 [5].
Also see the Field API Tab Editor [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Damien McKenna [7], the module's maintainer.
-------- FIXED BY
------------------------------------------------------------
* Damien McKenna [8], the module's maintainer.
* Bob Kepford [9], a reviewer.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10], of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] http://drupal.org/project/fate
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/fate
[5] https://drupal.org/node/2267527
[6] http://drupal.org/project/fate
[7] http://drupal.org/user/108450
[8] http://drupal.org/user/108450
[9] http://drupal.org/user/212517
[10] http://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list