[DRUPAL-SA-2005-009] Drupal 4.6.4 / 4.5.6 fixes minor access control issue Dec 01 2005 03:46PM
Uwe Hermann (uwe hermann-uwe de)
Drupal security advisory DRUPAL-SA-2005-009
Advisory ID: DRUPAL-SA-2005-009
Project: Drupal core
Date: 2005-11-30
Security risk: not critical
Impact: normal
Where: from remote
Vulnerability: bypass access control

Andrew Widdowson informed us that it's possible to bypass the 'access user
profile' permission if the server is running PHP5. No data can be changed

Versions affected
Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3

- If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4.

The security contact for Drupal can be reached at security at drupal.org
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.
Uwe Hermann <uwe (at) hermann-uwe (dot) de [email concealed]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus