Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-2008-030
- Project: Site Documentation (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-May-14
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Privilege escalation
The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database.
All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In typical scenarios, both anonymous and authenticated users have the "access content" permission.
Access to arbitrary tables enables an attacker to impersonate users by using SESSION IDs obtained from the database. An attacker could use specifically crafted URLs to gain access to additional private information, including, but not limited to, all usernames, password hashes, and e-mail addresses.
- Site Documentation for Drupal 5.x before Site Documentation 5.x-1.8
- Site Documentation for Drupal 6.x before Site Documentation 6.x-1.1
Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do.
Install the latest version:
- If you currently use Site Documentation 5.x-1.x upgrade to Site Documentation 5.x-1.8
- If you currently use Site Documentation 6.x-1.0 upgrade to Site Documentation 6.x-1.1
See also the Site Documentation project page.
The Site Documentation module maintainer Nancy Wichmann in collaboration with the Drupal security team.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.