User: Password:
|
|
Subscribe / Log in / New account

drupal7: restriction bypass

Package(s):drupal7 CVE #(s):
Created:August 9, 2011 Updated:August 10, 2011
Description: From the Drupal advisory:

Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory.

If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.

Alerts:
Fedora FEDORA-2011-9893 drupal7 2011-07-31
Fedora FEDORA-2011-9845 drupal7 2011-07-31

(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds