• Advisory ID: DRUPAL-SA-CONTRIB-2010-112
  • Project: oEmbed (third-party module)
  • Version: 6.x
  • Date: 2010-December-22
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

Description

The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content.

If an external site requested to embed a node, the oEmbed provider did not check node access, resulting in content not otherwise accessable by a user to be embeddable.

This only affects sites that are using the oEmbed Provider sub-module.

Versions affected

  • oEmbed module for Drupal 6.x versions prior to 6.x-0.8

Drupal core is not affected. If you do not use the contributed oEmbed module, together with its oEmbed provider module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the oEmbed module for Drupal 6.x upgrade to oEmbed 6.x-0.8.

See also the oEmbed project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.