Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-026 - Monthly Archive by Node Type - Access Bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-026 - Monthly Archive by Node Type - Access Bypass


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-026 - Monthly Archive by Node Type - Access Bypass
  • Date: Wed, 10 Mar 2010 16:52:58 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-026
* Project: Monthly Archive by Node Type (third-party module)
* Version: 6.x (all branches)
* Date: 2010-March-10
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass

-------- DESCRIPTION
---------------------------------------------------------

The Monthly Archive by Node Type module generates monthly archive pages and a
block with links to the pages. You can specify the node types that will be
included in the archive pages. In some summary listings, the Monthly Archive
by Node Type module does not construct its SQL query to respect node access
restrictions, thus users can see listings of nodes which are restricted by a
node access module and which should not be accessible.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Monthly Archive by Node Type module for Drupal 6.x versions prior to
6.x-1.4, 6.x-2.7, or 6.x-3.3

Drupal core is not affected. If you do not use the contributed Monthly
Archive by Node Type [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version.
* If you use the Monthly Archive by Node Type module for Drupal 6.x-1.x
upgrade to Monthly Archive by Node Type 6.x-1.4 [2]
* If you use the Monthly Archive by Node Type module for Drupal 6.x-2.x
upgrade to Monthly Archive by Node Type 6.x-2.7 [3]
* If you use the Monthly Archive by Node Type module for Drupal 6.x-3.x
upgrade to Monthly Archive by Node Type 6.x-3.3 [4]

-------- REPORTED BY
---------------------------------------------------------

* Prometheus6 [5], the module maintainer.

-------- FIXED BY
------------------------------------------------------------

* Prometheus6 [6], the module maintainer.

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/montharchive
[2] http://drupal.org/node/737842
[3] http://drupal.org/node/737848
[4] http://drupal.org/node/737854
[5] http://drupal.org/user/10137
[6] http://drupal.org/user/10137

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-026 - Monthly Archive by Node Type - Access Bypass, security-news, 10.03.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang