[IT-SecNots] [Security-news] SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

[security-news AT drupal.org]

View online: https://drupal.org/node/2254943

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-048
   * Project: Field API Pane Editor (FAPE) [1] (third-party module)
   * Version: 7.x
   * Date: 2014-April-30
   * Security risk: Highly critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This module adds a contextual menu to fields which are added to an entity
display in Panels, allowing individual fields to be directly edited via a
separate page or, if it is enabled, the Overlay module.

The module doesn't sufficiently verify the user has access to modify the
entity the field is attached to. Unless another module was installed which
restricted access to edit the fields, any user can edit any field on any
entity on the site.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field API Pane
Editor (FAPE) [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Field API Pane Editor (FAPE) module for Drupal 7.x, 
upgrade
     to Field API Pane Editor (FAPE) 7.x-1.2. [5]

Also see the Field API Pane Editor (FAPE) [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Andrew Belcher [7].

-------- FIXED BY
------------------------------------------------------------

   * David Rothstein [8] of the Drupal Security Team.
   * Damien McKenna [9], the module maintainer.

-------- COORDINATED BY
------------------------------------------------------

   * David Snopek [10] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]


[1] http://drupal.org/project/fape
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/fape
[5] https://drupal.org/node/2254923
[6] http://drupal.org/project/fape
[7] http://drupal.org/user/655282
[8] http://drupal.org/user/124982
[9] http://drupal.org/user/108450
[10] https://drupal.org/user/266527
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news