By heine on
- Advisory ID: SA-2008-034
- Project: Node Hierarchy (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-June-11
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The contributed module Node Hierarchy allows nodes to be children of other nodes creating a tree-like hierarchy of content.
Due to incorrectly implemented access checks, any user with the "access content" permission is able to rearrange the hierarchy. No private data is exposed, and no content can be removed from the site with this attack.
Versions affected
- Versions of Node Hierarchy for Drupal 5.x before Node Hierarchy 5.x-1.1
- Versions of Node Hierarchy for Drupal 6.x before Node Hierarchy 6.x-1.0
Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do.
Solution
Install the latest version:
- If you currently use Node Hierarchy 5.x-1.x upgrade to Node Hierarchy 5.x-1.1
- If you currently use Node Hierarchy 6.x-1.x upgrade to Node Hierarchy 6.x-1.0
See also the Node Hierarchy project page.
Reported by
Ronny López (dropcube).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
