exploit the possibilities

Drupal Multi-Language Link And Redirect 6.x / 7.x Access Bypass

Drupal Multi-Language Link And Redirect 6.x / 7.x Access Bypass
Posted Nov 29, 2012
Authored by Andy Inman | Site drupal.org

Drupal Multi-Language Link and Redirect third party module versions 6.x and 7.x suffer from an access bypass vulnerability.

tags | advisory, bypass
MD5 | 6df69eb7c4fceda072cedd92175ed0a8

Drupal Multi-Language Link And Redirect 6.x / 7.x Access Bypass

Change Mirror Download
View online: http://drupal.org/node/1853244

* Advisory ID: DRUPAL-SA-CONTRIB-2012-170
* Project: Multi-Language Link and Redirect (MultiLink) [1] (third-party
module)
* Version: 6.x, 7.x
* Date: 2012-November-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

MultiLink allows you to generate in-content links to a suitable node or node
translation based on the visitor's language preferences. It allows the Node
Title of the target node to be shown as the visible text and title attribute
for the generated link.

Prior to versions 6.x-2.7 and 7.x-2.7 the module doesn't check the the
current user has access to a node referenced by the generated link, so that
node title (only) may be disclosed to a user who would otherwise have no
access to that node.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to edit text using an Input Format for which the
MultiLink Filter has been enabled.

CVE: Requested

-------- VERSIONS AFFECTED
---------------------------------------------------

* MulitLink 6.x-2.x versions prior to 6.x-2.7 [3].
* MulitLink 7.x-2.x versions prior to 7.x-2.7 [4].

Drupal core is not affected. If you do not use the contributed Multi-Language
Link and Redirect (MultiLink) [5] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version - see the project page
http://drupal.org/project/multilink [6] for downloads.

Also see the Multi-Language Link and Redirect (MultiLink) [7] project page.

-------- REPORTED BY
---------------------------------------------------------

* Andy Inman [8] the module maintainer

-------- FIXED BY
------------------------------------------------------------

* Andy Inman [9] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

* St├ęphane Corlosquet [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] http://drupal.org/project/multilink
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1289292
[4] http://drupal.org/node/1289294
[5] http://drupal.org/project/multilink
[6] http://drupal.org/project/multilink
[7] http://drupal.org/project/multilink
[8] http://drupal.org/user/216383
[9] http://drupal.org/user/216383
[10] http://drupal.org/user/52142
[11] http://drupal.org/user/36762
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    3 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    33 Files
  • 26
    Oct 26th
    27 Files
  • 27
    Oct 27th
    6 Files
  • 28
    Oct 28th
    28 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close