SA-CONTRIB-2013-096 - Entity reference - Access bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2013-096
• Project: Entity reference (third-party module)
• Version: 7.x
• Date: 2013-November-20
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity.

However, if a user (A) that has access to the referenced entity (Node 1), makes that reference on a node (Node 2), and gives edit access to another user (B), user B will be able to see the node title for the referenced node (Node 2).

This vulnerability is mitigated by the fact that an attacker must get a user with access to a private node to reference it via another node that attacker has edit access to. No other node information is leaked other than the title.

CVE identifier(s) issued

• CVE-2013-7066

Versions affected

• Entityreference 7.x-1.x versions prior to 7.x-1.1-rc1

Drupal core is not affected. If you do not use the contributed Entity reference module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Entityreference module for Drupal 7.x, upgrade to Entityreference 7.x-1.1

Also see the Entity reference project page.

Reported by

• Jakob Perry

Fixed by

• Damien Tournoud the module maintainer
• Jakob Perry
• Amitai Burstein

Coordinated by

• David Stoline and Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.