SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2014-097
• Project: Nodeaccess (third-party module)
• Version: 6.x, 7.x
• Date: 2014-October-08
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Uncommon
• Vulnerability: Access bypass

Description

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes.

This module enables you to inadvertently allow an author of a node view/edit/delete the node in question (who may not have access). The module over-eagerly grants read/write/delete access to all authors of nodes.

In addition, a node that is unpublished, but is granted node specific permissions will obey the node specific permissions and not the unpublished content permission for the role.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance
  with Drupal Security Team processes.

Versions affected

• Nodeaccess 6.x-1.x versions prior to 6.x-1.5.
• Nodeaccess 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Nodeaccess module,
there is nothing you need to do.

Solution

Ensure that you are using the latest version of the Nodeaccess module when installing. For existing nodes, please ensure that the author permissions are correct.

• If you use the Nodeaccess module for Drupal 6.x, upgrade to Nodeaccess 6.x-1.5
• If you use the Nodeaccess module for Drupal 7.x, upgrade to Nodeaccess 7.x-1.4

Also see the Nodeaccess project page.

Reported by

• AdamPS
• sanette

Fixed by

• AdamPS the issue reporter.
• Vlad Pavlovic the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.