Project and Project issue tracking - Access bypass

By dww on 19 Aug 2007 at 23:14 UTC

Advisory ID: DRUPAL-SA-2007-020.
Project: Project and Project issue tracking (third-party modules)
Version: 4.7.x-1.*, 4.7.x-2.*, 5.x-0.*
Date: 2007-Aug-20
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Access bypass

Description

The Project and Project issue tracking modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire project or issue itself, the titles (and teasers) of projects and issues can be viewed if a project or issue is promoted to the front page, via the tracker module and the "Recent posts" page, and so on. In certain places, project names are disclosed for users that do not have access to those projects. The issue statistics pages also include infomation about issues and projects that the user does not have permission to view. Finally, if users can discover or guess the node identifier for a project they do not have access to, they can view CVS activity about that project.

Versions affected

5.x-*:
- Project before version 5.x-1.0
- Project issue tracking before version 5.x-1.0
4.7.x-2.*:
- Project before version 4.7.x-2.3
- Project issue tracking before version 4.7.x-2.4
4.7.x-1.*:
- Project before version 4.7.x-1.3
- Project issue tracking before version 4.7.x-1.4

Drupal core is not affected. If you do not use the contributed Project or Project issue tracking modules, there is nothing you need to do. Furthermore, if your site is using these modules but provides full read access to projects and issues (by granting 'access projects' and 'access project issues' permission to both anonymous and authenticated users) there is nothing you need to do.