it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2011-012 - Spaces - Access bypass
- Date: Wed, 2 Mar 2011 20:57:47 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2011-012
* Project: Spaces (third-party module)
* Version: 6.x
* Date: 2011-March-02
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Spaces module makes sitewide configuration options available to be
overridden by individual "spaces" on a Drupal site. Spaces provides a Views
module access plugin that does not properly check its permission setting
which may allow underprivileged users to visit certain pages. This
vulnerability is mitigated by the fact that Drupal's node access system will
prevent users from viewing content that they do not have permission to view.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Spaces module for Drupal 6.x versions prior to 6.x-3.1
Drupal core is not affected. If you do not use the contributed Spaces [1] and
Views [2] modules, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Spaces module for Drupal 6.x upgrade to Spaces 6.x-3.1 [3]
See also the Spaces project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Matthew Radcliffe [5]
-------- FIXED BY
------------------------------------------------------------
* Jeff Miccolis [6], module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [7] can be reached at security at drupal.org [8] or
via the form at http://drupal.org/contact [9].
Learn more about the team and their policies [10], writing secure code [11]
for Drupal, and Secure Configuration [12] of your site.
[1] http://drupal.org/project/spaces
[2] http://drupal.org/project/views
[3] http://drupal.org/node/1079192
[4] http://drupal.org/project/spaces
[5] http://drupal.org/user/157079
[6] http://drupal.org/user/31731
[7] http://drupal.org/security-team
[8] http://drupal.org
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] SA-CONTRIB-2011-012 - Spaces - Access bypass, security-news, 03.03.2011
Archiv bereitgestellt durch MHonArc 2.6.19.