Private - Critical - Access bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-031
* Project: Private (third-party module)
* Version: 7.x
* Date: 2017-March-15
* Security risk: 15/25 ( Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables you to mark nodes as private so that they are only
accessible to users that have been granted an extra permissions.

The module doesn't always enforce the access restrictions. In some cases a
node that a site admin expects to be private is actually accessible as normal
or nodes may be editable in ways a site admin may not expect.

VERSIONS AFFECTED

* Private 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.

SOLUTION

Install the latest version:

* If you use the Private module 7.x-1.x your site may be at risk. The only
completely safe option is to take the website off-line. In most cases,
disabling the module will not mitigate the vulnerabilities as that will
expose even more private information.
* A new maintainer has developed a beta secure version of the module using
the 7.x-2.x branch. This is a partial rewrite and /needs further
testing/.
Please test it and provide bug reports and help developing patches.

Add new comment