[drupal-peru] [Security-news] SA-CONTRIB-2010-037 - Decisions - Access bypass

0 views
Skip to first unread message

securi...@drupal.org

unread,
Apr 28, 2010, 3:02:33 PM4/28/10
to securi...@drupal.org
* Advisory ID: DRUPAL-SA-CONTRIB-2010-037
* Project: Decisions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass

-------- DESCRIPTION
---------------------------------------------------------

Decisions is a replacement for poll.module and provides advanced voting
systems and decision-making tools. It aims to enable groups to take decisions
online in a manner that replicates and augments what is possible in
face-to-face meeting. In some listings, the Decisions module does not
construct its SQL query to respect node access restrictions, thus users can
see listings of nodes which should not be accessible to them.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Decisions for Drupal 5.x versions prior to 5.x-1.2
* Decisions for Drupal 6.x versions prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Decisions [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version.
* If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2]
* If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3]

-------- REPORTED BY
---------------------------------------------------------

* Kirill Stealth [4]

-------- FIXED BY
------------------------------------------------------------

* Antoine Beaupré [5], module maintainer.
* Ezra Barnett Gildesgame [6], module maintainer.

-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/decisions
[2] http://drupal.org/node/784444
[3] http://drupal.org/node/783766
[4] http://drupal.org/user/205226
[5] http://drupal.org/user/1274
[6] http://drupal.org/user/69959

_______________________________________________
Security-news mailing list
Securi...@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news

--
Has recibido este mensaje porque estás suscrito a Grupo "Drupal Perú"
de Grupos de Google.
Si quieres publicar en este grupo, envía un mensaje de correo
electrónico a drupa...@googlegroups.com
Y revisa las reglas
http://groups.google.es/group/drupal-peru/web
Para anular la suscripción a este grupo, envía un mensaje a
drupal-peru...@googlegroups.com
Para obtener más opciones, visita este grupo en
http://groups.google.es/group/drupal-peru?hl=es.
Reply all
Reply to author
Forward
0 new messages