Drupal Invitation 7.x Access Bypass

Drupal Invitation 7.x Access Bypass: Posted Nov 20, 2013; Authored by j1ndustry | Site drupal.org; Drupal Invitation third party module version 7.x suffers from an access bypass vulnerability.; tags | advisory, bypass; SHA-256 | 176d222c03bc1e9a7a15daf5f2ef794edc06ffc1f8f08ea0cb40c33dbcae33e5; Download | Favorite | View

Drupal Invitation 7.x Access Bypass

View online: https://drupal.org/node/2140097

   * Advisory ID: DRUPAL-SA-CONTRIB-2013-093
   * Project: Invitation [1] (third-party module)
   * Version: 7.x
   * Date: 2013-November-20
   * Security risk: Critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

The Invitation module restricts registration to users who have an invite code
(for running a private beta).
The module provides default views that don't check access to views prior to
displaying private information like usernames and email addresses.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Invitation 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Invitation [4]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

If you use the Invitation module for Drupal 7.x, you should disable the
module. There is no release with a fix.

Also see the Invitation [5] project page.

-------- REPORTED BY
---------------------------------------------------------

   * j1ndustry [6]

-------- FIXED BY
------------------------------------------------------------

Not applicable.

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [7] and Lee Rowlands [8] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].


[1] http://drupal.org/project/invitation
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/invitation
[5] http://drupal.org/project/invitation
[6] http://drupal.org/user/2688277
[7] http://drupal.org/user/36762
[8] https://drupal.org/user/395439
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration

Top Authors In Last 30 Days

Red Hat 270 files
indoushka 152 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Debian 27 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

Drupal Invitation 7.x Access Bypass

Drupal Invitation 7.x Access Bypass

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Drupal Invitation 7.x Access Bypass

Share This

Drupal Invitation 7.x Access Bypass

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems