View online: http://drupal.org/node/1853244

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-170
  * Project: Multi-Language Link and Redirect (MultiLink) [1] (third-party
    module)
  * Version: 6.x, 7.x
  * Date: 2012-November-28
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

MultiLink allows you to generate in-content links to a suitable node or node
translation based on the visitor's language preferences. It allows the Node
Title of the target node to be shown as the visible text and title attribute
for the generated link.

Prior to versions 6.x-2.7 and 7.x-2.7 the module doesn't check the the
current user has access to a node referenced by the generated link, so that
node title (only) may be disclosed to a user who would otherwise have no
access to that node.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to edit text using an Input Format for which the
MultiLink Filter has been enabled.

CVE: Requested

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * MulitLink 6.x-2.x versions prior to 6.x-2.7 [3].
  * MulitLink 7.x-2.x versions prior to 7.x-2.7 [4].

Drupal core is not affected. If you do not use the contributed Multi-Language
Link and Redirect (MultiLink) [5] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version - see the project page
http://drupal.org/project/multilink [6] for downloads.

Also see the Multi-Language Link and Redirect (MultiLink) [7] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Andy Inman [8] the module maintainer

-------- FIXED BY  
------------------------------------------------------------

  * Andy Inman [9] the module maintainer

-------- COORDINATED BY  
------------------------------------------------------

  * Stéphane Corlosquet [10] of the Drupal Security Team
  * Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] http://drupal.org/project/multilink
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1289292
[4] http://drupal.org/node/1289294
[5] http://drupal.org/project/multilink
[6] http://drupal.org/project/multilink
[7] http://drupal.org/project/multilink
[8] http://drupal.org/user/216383
[9] http://drupal.org/user/216383
[10] http://drupal.org/user/52142
[11] http://drupal.org/user/36762
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news