[Security-news] SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

0 views
Skip to first unread message

securi...@drupal.org

unread,
Feb 17, 2010, 5:55:06 PM2/17/10
to securi...@drupal.org
* Advisory ID: DRUPAL-SA-CONTRIB-2010-018
* Project: Content Distribution (third-party module)
* Version: 6.x
* Date: 2010 February 17
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Mulitple Vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

Content Distribution module allows calling a method to delete particular
nodes using a XML-RPC call. When this method is allowed to be called by
anonymous users in user permissions, an attacker might delete a random node.
In addition, certain actions require Content Distribution to temporarily
switch users. This is being done without properly disabling session saving.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Content Distribution prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed Content
Distribution module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Content Distribution for Drupal 6.x upgrade to Content
Distribution 6.x-1.3 [1].

See also the Content Distribution project page [2].
-------- REPORTED BY
---------------------------------------------------------

* Joachim Noreiko (joachim [3]), the module co-maintainer.

-------- FIXED BY
------------------------------------------------------------

* Joachim Noreiko (joachim [4]), the module co-maintainer.

-------- CONTACT
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/716400
[2] http://drupal.org/project/content_distribution
[3] http://drupal.org/user/107701
[4] http://drupal.org/user/107701

_______________________________________________
Security-news mailing list
Securi...@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news

Reply all
Reply to author
Forward
0 new messages