Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Dries on
- Advisory ID: DRUPAL-SA-2005-009
- Project: Drupal core
- Date: 2005-11-30
- Security risk: not critical
- Impact: normal
- Where: from remote
- Vulnerability: bypass access control
Description
Andrew Widdowson informed us that it's possible to bypass the 'access user profile' permission if the server is running PHP5. No data can be changed though.
Versions affected
Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3
Solution
If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4.
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.