- Advisory ID: DRUPAL-SA-CONTRIB-2009-058
- Project: Comment RSS (third-party module)
- Version: 5.x, 6.x
- Date: 2009-September-16
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Comment RSS module provides RSS feeds for comments on individual nodes. The link to this feed contains the node's title. Adding the link to the RSS feed was not respecting access permissions, potentially exposing content not available otherwise.
Versions affected
- Comment RSS for Drupal 5.x before Comment RSS 5.x-2.2
- Comment RSS for Drupal 6.x before Comment RSS 6.x-2.2
Drupal core is not affected. If you do not use the contributed Comment RSS module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x upgrade to Comment RSS 5.x-2.2.
- If you use Drupal 6.x upgrade to Comment RSS 6.x-2.2.
See also the Comment RSS project page.
Reported by
Dave Reid of the Drupal Security Team and co-maintainer of the Comment RSS module
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.