it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass
- Date: Wed, 24 Feb 2010 16:17:58 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-019
* Project: Weekly Archive by Node Type (third-party module)
* Version: 6.x-2.x
* Date: 2010-February-24
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Weekly Archive by Node Type module generates weekly archive pages and a
block with links to the pages. You can specify the node types that will be
included in the archive pages. In weekly summaries listings, the Weekly
Archive by Node Type module does not construct its SQL query to respect node
access restrictions, thus users can see listings of nodes which are
restricted by a node access module and which should not be accessible.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Weekly Archive by Node Type module for Drupal 6.x versions prior to
6.x-2.7
Drupal core is not affected. If you do not use the contributed Weekly Archive
by Node Type [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Weekly Archive by Node Type module for Drupal 6.x upgrade
to Weekly Archive by Node Type 6.x-2.7 [2]
-------- REPORTED BY
---------------------------------------------------------
* Aron Hsiao.
-------- FIXED BY
------------------------------------------------------------
* Prometheus6 [3], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/week
[2] http://drupal.org/node/723776
[3] http://drupal.org/user/10137
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass, security-news, 24.02.2010
Archiv bereitgestellt durch MHonArc 2.6.19.