[Security-news] Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

security-news at drupal.org security-news at drupal.org
Wed Mar 15 18:26:45 UTC 2017


View online: https://www.drupal.org/node/2860906

   * Advisory ID: DRUPAL-SA-CONTRIB-2017-031
   * Project: Private [1]     (third-party module)
   * Version: 7.x
   * Date: 2017-March-15
   * Security risk: 15/25 ( Critical)
     AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to mark nodes as private so that they are only
accessible to users that have been granted an extra permissions.

The module doesn't always enforce the access restrictions. In some cases a
node that a site admin expects to be private is actually accessible as normal
or nodes may be editable in ways a site admin may not expect.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Private 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Private [4]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Private module 7.x-1.x your site may be at risk. The only
     completely safe option is to take the website off-line. In most cases,
     disabling the module will not mitigate the vulnerabilities as that will
     expose even more private information.
   * A new maintainer has developed a beta secure version of the module using
     the 7.x-2.x branch. This is a partial rewrite and /needs further 
testing/.
       Please test it and provide bug reports and help developing patches.

Also see the Private [5] project page.

-------- REPORTED BY
---------------------------------------------------------


   * Adam Shepherd [6]

-------- FIXED BY
------------------------------------------------------------

   * Adam Shepherd [7] The module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison  [8] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and  securing your site [12].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]


[1] https://www.drupal.org/project/private
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/private
[5] https://www.drupal.org/project/private
[6] https://www.drupal.org/u/adamps
[7] https://www.drupal.org/u/adamps
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity



More information about the Security-news mailing list