• Advisory ID: DRUPAL-SA-2007-010
  • Project: Secure site (third-party module)
  • Version: 4.7, 5
  • Date: 2007-Feb-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users.

A serious design flaw allows the access restriction to be bypassed by adding a certain string to a URL. Normal Drupal user account permissions are still in effect, but the module's protection is negated.

Versions affected

  • Secure site 4.7.x-1.x-dev
  • Secure site 5.x-1.x-dev

Drupal core is not affected. If you do not use the contributed Secure site module, there is nothing you need to do.

Solution

Install the latest version:

See also the Secure site project page.

Reported by

Steven Wittens.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.