* Advisory ID: DRUPAL-SA-CONTRIB-2010-045
* Project: Auto Assign Role (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Auto Assign Role serves three primary purposes. The first is to provide
an automatic assignment of roles when a new account is created. The second is
to allow the end user the option of choosing their own role or roles when
they create their account. The third is to provide paths that will trigger a
specific role when an account is created. Auto Assign Role recently added a
node autocomplete that did not properly utilize the Drupal node access API.
This may allow users with the 'administer autoassignrole' permission users to
view the content of nodes that they should not have permission to access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* AutoAssign Role [1] module for Drupal 6.x version prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Auto Assign
Role module for Drupal 6.x, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version or disable the module. If you use Auto Assign Role
prior to 6.x-1.2, upgrade to Auto Assign Role 6.x-1.2 [2]
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [3].
-------- FIXED BY
------------------------------------------------------------
* Kevin Bridges [4], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at
drupal.org or via
the form at
http://drupal.org/contact [5].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1]
http://drupal.org/project/autoassignrole
[2]
http://drupal.org/node/795926
[3]
http://drupal.org/user/383424
[4]
[5]
http://drupal.org/contact
_______________________________________________
Security-news mailing list
Securi...@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
--
Has recibido este mensaje porque estás suscrito a Grupo "Drupal Perú"
de Grupos de Google.
Si quieres publicar en este grupo, envía un mensaje de correo
electrónico a
drupa...@googlegroups.com
Y revisa las reglas
http://groups.google.es/group/drupal-peru/web
Para anular la suscripción a este grupo, envía un mensaje a
drupal-peru...@googlegroups.com
Para obtener más opciones, visita este grupo en
http://groups.google.es/group/drupal-peru?hl=es.