Home page logo

bugtraq logo Bugtraq mailing list archives

[DRUPAL-SA-2005-009] Drupal 4.6.4 / 4.5.6 fixes minor access control issue
From: Uwe Hermann <uwe () hermann-uwe de>
Date: Thu, 1 Dec 2005 16:46:14 +0100

Drupal security advisory                                  DRUPAL-SA-2005-009
Advisory ID:    DRUPAL-SA-2005-009
Project:        Drupal core
Date:           2005-11-30
Security risk:  not critical
Impact:         normal
Where:          from remote
Vulnerability:  bypass access control

Andrew Widdowson informed us that it's possible to bypass the 'access user
profile' permission if the server is running PHP5. No data can be changed

Versions affected
Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3

- If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4.

The security contact for Drupal can be reached at security at drupal.org
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.
Uwe Hermann <uwe () hermann-uwe de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

Attachment: signature.asc
Description: Digital signature

  By Date           By Thread  

Current thread:
  • [DRUPAL-SA-2005-009] Drupal 4.6.4 / 4.5.6 fixes minor access control issue Uwe Hermann (Dec 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]