Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2007-010
- Project: Secure site (third-party module)
- Version: 4.7, 5
- Date: 2007-Feb-16
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users.
A serious design flaw allows the access restriction to be bypassed by adding a certain string to a URL. Normal Drupal user account permissions are still in effect, but the module's protection is negated.
- Secure site 4.7.x-1.x-dev
- Secure site 5.x-1.x-dev
Drupal core is not affected. If you do not use the contributed Secure site module, there is nothing you need to do.
Install the latest version:
See also the Secure site project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.