Drupal Decisions Module Node Listing Security Bypass Vulnerability
BID:39773
Info
Drupal Decisions Module Node Listing Security Bypass Vulnerability
| Bugtraq ID: | 39773 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 28 2010 12:00AM |
| Updated: | Apr 28 2010 12:00AM |
| Credit: | Kirill Stealth |
| Vulnerable: |
Drupal Decisions 6.x-1.6 Drupal Decisions 5.x-1.1 |
| Not Vulnerable: |
Drupal Decisions 6.x-1.7 Drupal Decisions 5.x-1.2 |
Discussion
Drupal Decisions Module Node Listing Security Bypass Vulnerability
The Decisions module for Drupal is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Versions prior to Decisions 5.x-1.2 and 6.x-1.7 are vulnerable.
The Decisions module for Drupal is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Versions prior to Decisions 5.x-1.2 and 6.x-1.7 are vulnerable.
Exploit / POC
Drupal Decisions Module Node Listing Security Bypass Vulnerability
Attackers can exploit this issue through a browser.
Attackers can exploit this issue through a browser.
Solution / Fix
Drupal Decisions Module Node Listing Security Bypass Vulnerability
Solution:
The vendor has released fixes and an advisory. Please see the references for details.
Drupal Decisions 6.x-1.6
Drupal Decisions 5.x-1.1
Solution:
The vendor has released fixes and an advisory. Please see the references for details.
Drupal Decisions 6.x-1.6
-
Drupal decisions-6.x-1.7.tar.gz
http://ftp.drupal.org/files/projects/decisions-6.x-1.7.tar.gz
Drupal Decisions 5.x-1.1
-
Drupal decisions-5.x-1.2.tar.gz
http://ftp.drupal.org/files/projects/decisions-5.x-1.2.tar.gz
References
Drupal Decisions Module Node Listing Security Bypass Vulnerability
References:
References:
- Decisions Homepage (Drupal)
- Drupal Language Switcher Dropdown Homepage (Drupal)
- SA-CONTRIB-2010-037 - Decisions - Access bypass (Drupal)