Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass
  • Date: Wed, 28 Apr 2010 19:02:33 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-037
* Project: Decisions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass

-------- DESCRIPTION
---------------------------------------------------------

Decisions is a replacement for poll.module and provides advanced voting
systems and decision-making tools. It aims to enable groups to take decisions
online in a manner that replicates and augments what is possible in
face-to-face meeting. In some listings, the Decisions module does not
construct its SQL query to respect node access restrictions, thus users can
see listings of nodes which should not be accessible to them.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Decisions for Drupal 5.x versions prior to 5.x-1.2
* Decisions for Drupal 6.x versions prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Decisions [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version.
* If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2]
* If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3]

-------- REPORTED BY
---------------------------------------------------------

* Kirill Stealth [4]

-------- FIXED BY
------------------------------------------------------------

* Antoine Beaupré [5], module maintainer.
* Ezra Barnett Gildesgame [6], module maintainer.

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/decisions
[2] http://drupal.org/node/784444
[3] http://drupal.org/node/783766
[4] http://drupal.org/user/205226
[5] http://drupal.org/user/1274
[6] http://drupal.org/user/69959

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass, security-news, 28.04.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang