Wednesday, January 14, 2009

[Security announcements] SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

---- SA-CONTRIB-2009-003 - INTERNATIONALIZAION (I18N) TRANSLATION MODULE -
ACCESS BYPASS ----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-003

* Project: Internationalization (i18n) (third-party module)

* Version: 5.x-2.x

* Date: 2009-January-14

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Access bypass

---- DESCRIPTION ----

The third-party i18n module enables users to make a translation of an existing
item of content (a node). In that process the existing node's content is copied
into the new node.

The module contains a flaw that allows a user with the 'translate node'
permission to potentially bypass normal viewing access restrictions, for example
allowing the user to see the content of unpublished nodes even if they do not
have permission to view unpublished nodes.

---- VERSIONS AFFECTED ----

* All 5.x versions of Internationalization (i18n) prior to 5.x-2.5.

Drupal core is not affected. If you do not use the contributed
Internationalization (i18n) module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

* If you use 5.x-2.x upgrade to Internationalization 5.x-2.5 [
http://drupal.org/node/358986 ].

See also the Internationalization project page [ http://drupal.org/project/i18n
].

---- REPORTED BY ----

Wolfgang Ziegler [ http://drupal.org/user/16747 ] and by Nat Catchpole [
http://drupal.org/user/35733 ] of the Drupal security team.

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

No comments: