Thursday, January 15, 2009

[Security announcements] SA-CONTRIB-2009-004 - Notify - Privilege escalation

---- SA-CONTRIB-2009-004 - NOTIFY - PRIVILEGE ESCALATION ----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-004

* Project: Notify

* Versions: 5.x

* Date: 2009-January-15

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Privilege escalation

---- DESCRIPTION ----

A user triggering the cron processing of the Notify module may end up getting
logged in as another user when the Notify operations do not complete
succesfully.

---- VERSIONS AFFECTED ----

* Versions of Notify for Drupal 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the Notify module, there is
nothing you need to do.

---- SOLUTION ----

Install the latest version.

* If you use Notify for Drupal 5.x upgrade to 5.x-1.2 [
http://drupal.org/node/358495 ]

Also see the Notify project page [ http://drupal.org/project/notify ].

---- REPORTED BY ----

Philippe Jadin and Bill Kennedy

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

No comments: