• Advisory ID: DRUPAL-SA-CONTRIB-2009-014
  • Project: CCK Field Privacy
  • Version: 6.x
  • Date: 2009-March-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

CCK Field Privacy was incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls for the administrative pages are by-passed for unprivileged users. This may allow users to change permissions on fields and lead to exposure of private content.

Versions affected

Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do.

Solution

Upgrade to the latest version:

Important notes

This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team.

If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: http://drupal.org/node/109157

Reported by

This vulnerability was publicly disclosed.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.