- Advisory ID: DRUPAL-SA-2008-062
- Project: SIOC (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-October-08
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The SIOC (Semantically-Interconnected Online Communities) project is an open specification for describing communities using online discussion forums or blogs, the module allows Drupal sites to attach metadata to users, posts, comments etc. in line with this specification.
The module doesn't implement Drupal's menu and database APIs correctly, allowing unprivileged users to view comments, hashed emails, usernames and roles which they might otherwise not have access to.
Versions Affected
- Versions of SIOC for Drupal 5.x prior to 5.x-1.2
- Versions of SIOC for Drupal 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the SIOC module, there is nothing you need to do.
Solution
Install the latest version.
- If you use SIOC for Drupal 5.x upgrade to SIOC 5.x-1.2
- If you use SIOC for Drupal 6.x upgrade to SIOC 6.x-1.1
Also see the SIOC project page.
Reported by
- Stéphane Corlosquet and Peter Wolanin of the Drupal security team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
