- Advisory ID: DRUPAL-SA-CONTRIB-2009-014
- Project: CCK Field Privacy
- Version: 6.x
- Date: 2009-March-23
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
CCK Field Privacy was incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls for the administrative pages are by-passed for unprivileged users. This may allow users to change permissions on fields and lead to exposure of private content.
Versions affected
- CCK Field Privacy module 6.x before version 6.x-1.1
Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you are using CCK Field Privacy 6.x update to CCK Field Privacy 6.x-1.1
Important notes
This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team.
If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: http://drupal.org/node/109157
Reported by
This vulnerability was publicly disclosed.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.