Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass
  • Date: Wed, 12 May 2010 18:58:25 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-045
* Project: Auto Assign Role (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass

-------- DESCRIPTION
---------------------------------------------------------

The Auto Assign Role serves three primary purposes. The first is to provide
an automatic assignment of roles when a new account is created. The second is
to allow the end user the option of choosing their own role or roles when
they create their account. The third is to provide paths that will trigger a
specific role when an account is created. Auto Assign Role recently added a
node autocomplete that did not properly utilize the Drupal node access API.
This may allow users with the 'administer autoassignrole' permission users to
view the content of nodes that they should not have permission to access.
-------- VERSIONS AFFECTED
---------------------------------------------------

* AutoAssign Role [1] module for Drupal 6.x version prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Auto Assign
Role module for Drupal 6.x, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version or disable the module. If you use Auto Assign Role
prior to 6.x-1.2, upgrade to Auto Assign Role 6.x-1.2 [2]
-------- REPORTED BY
---------------------------------------------------------

* mr.baileys [3].

-------- FIXED BY
------------------------------------------------------------

* Kevin Bridges [4], the module maintainer.

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].

Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://drupal.org/project/autoassignrole
[2] http://drupal.org/node/795926
[3] http://drupal.org/user/383424
[4]
[5] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass, security-news, 12.05.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang